Privacy Policy

Last update: April 15th, 2022

The website www.tryriot.com (hereinafter the “Website”) published by the company Riot Security, Inc. (hereinafter “Riot Security” or “we”), provides access to the Riot Solution (hereinafter the “Riot Solution”) for companies in order to train employees and raise their awareness about cybersecurity risks (hereinafter “Cybersecurity Services”).

While you are accessing, browsing, navigating and using the Website and the Riot Solution, you communicate your personal data to Riot Security.

Please read this privacy policy carefully as it explains how Riot Security uses your personal data and how exercise your rights. This privacy policy supplements the Terms & Conditions or any documents or notices that may refer to this privacy policy.

Should you have any questions, you may directly contact Riot Security by sending an email to support@tryriot.com.


1. WHO IS THE DATA CONTROLLER OF YOUR PERSONAL?

When you are using the publicly available Website
:

Riot Security is the data controller of personal data collected and processed for the administrative, operational and commercial management of the Website as publisher.

When you are using the Riot Solution:

your employer is the data controller of personal data collected and processed for the provision of the Cybersecurity Services to which it has subscribed;

Riot Security is the data processor, acting in the name and on behalf of your employer, of personal data collected and processed for the provision of the Cybersecurity Services to which your employer has subscribed.


2. WHAT KIND OF PERSONAL DATA ARE PROCESSED?

All personal data directly provided by your employer or you, as well as all personal data generated from your use of the the Cybersecurity Services, namely:

Type of data

Examples of data

Identification data

First name, last name, photography

Contact details (professional and/or personal)

Email address, telephone number

Professional data

Company (name and sector), position

Data related to your training and awareness about cybersecurity risks (depending on the Cybersecurity Services subscribed by your employer)

Data related to your training and awareness about cybersecurity risks (depending on the Cybersecurity Services subscribed by your employer)

Data related to your exchanges with Riot Security

Date, subject and content of your exchanges with the internal services of Riot Security

Data related to your job application

Any information provided as part of your job application

Also, the Website automatically collect the following data via cookies and other trackers:

Type of data

Examples of data

Internet or other electronic network activity information

Internet or other electronic network activity information

Date and time of the connection, IP address, device type, browser type, operating system, viewed pages

This data is necessary for the proper functioning of the Website and internal business analytics purposes such as audience measurement. For more information on cookies and other trackers, please see the Cookies Policy.

The provision of certain types of personal data may be necessary or optional,in order to fully use the Website and the Cybersecurity Services subscribed by your employer. Mandatory data will be marked as such at the point of collection. If you refuse to provide mandatory data, Riot Security may not be able to process your request (e.g., creation of your Riot Security account, provisions of the Cybersecurity Services, processing your job application, etc.).

3. FOR WHAT PURPOSES DOES RIOT SECURITY USE YOUR PERSONAL DATA?

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), your personal data is processed only for the following reasons:

Purposes

Examples of use of your personal data

Legal bases that may be used by the controller

Creation and management of your Riot Security account

to create your Riot Security account (via your Slack, Gmail or Outlook identifiers) as manager to allow you to authenticate yourself on the Riot Solution and access the dashboard related to the Cybersecurity Services suscribed by your employers to allow you to update your account as needed

Legitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems

Provision of the Cybersecurity Services subscribed by your employer

to provide you with the Cybersecurity Services subscribed by your employer (trainings, phishing exercises, etc.)  to make statistics on your awareness level about the cybersecurity risks

Legitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems

Monitoring on the web (only if your employer wanted to offer you this feature)

to check on the web if your contacts details (professional and personal) are available

Your consent

Compliance with legal and regulatory obligations  

to comply with legal and regulatory obligations  to process your requests to exercise your rights

Legal and regulatory obligations to which Riot Technology is subject as data processor

4. WHO CAN ACCESS YOUR PERSONAL DATA?

Recipients

Purposes

Riot Security and its duly authorized employees

For the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy

Slack Technologies, LLC

For the sole purpose of authenticating you on the Riot Solution using your Slack identifiers to access your Riot Security account

Google, Inc.

For the sole purpose of authenticating you on the Riot Solution using your Gmail identifiers to access your Riot Security account

Microsoft, Inc.

For the sole purpose of authenticating you on the Riot Solution using your Outlook identifiers to access your Riot Security account

Service providers of Riot Security                                  (hosting provider, IT service providers, IT solutions publishers, etc.)

Exclusively for operational and technical purposes related to the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy

Administrative or judiciary authorities

Exclusively in the case of an express and justified request or in case of an alleged violation of legal or regulatory provisions

Lawyers and all interested parties

Exclusively in the case of the management of possible disputes and other legal matters where appropriate

Other third parties

Following or during a restructuring, reconstitution,  acquisition, debt financing, merger, sale of assets of Riot Security or a similar transaction, as well as in case of insolvency, bankruptcy or receivership where personal data are transferred to one or more third parties as assets of Riot Security

5. WILL YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN UNION/EUROPEAN ECONOMIC AREA

As far as possible, your personal data is processed within the European Union (EU)/European Economic Area (EEA). However, Riot Security and somes of its service providers are located outside of the EU/EEA.

When your personal data is transferred outside the EU/EEA, Riot Security will, in the absence of an adequacy decision and after that an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal data is established has been carried out, implement all necessary measures through the adoption of appropriate safeguards (such as standard contractual clauses). A copy of such safeguards can be obtained by sending an email directly to Riot Security at support@tryriot.com.

Service provider

Third country

Adopted safeguard

Riot Security, Inc.

United States

Standard Contractual Clauses

Amazon Web Services, Inc.

United States

Clauses Contractuelles Types

Slack Technologies, LLC

United States

Standard Contractual Clauses

Google, Inc.

United States

Standard Contractual Clauses

Microsoft, Inc.

United States

Standard Contractual Clauses

Intercom, Inc.

United States

Clauses Contractuelles Types

Segment.io, Inc.

United States

Clauses Contractuelles Types

FullStory, Inc.

United States

Clauses Contractuelles Types

Mailgun Technologies, Inc.

United States

Clauses Contractuelles Types

Functional Software, Inc.

United States

Clauses Contractuelles Types

Datadog, Inc.

United States

Clauses Contractuelles Types

HubSpot, Inc.

United States

Clauses Contractuelles Types

6. How does RIOT SECURITY protect your personal data?

Riot Security has implemented technical and organizational measures to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or divulgation of your personal data. These measures will guarantee a level of security appropriate for the data and will take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected.

Riot Security guarantees that all members of its personnel and any other person processing your personal data will respect the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data. In this context, Riot Security reviews and updates its practices regularly to enhance your privacy and ensure that its internal policies are followed.

If you have found a vulnerability or would like to report a security incident, you may send an email to  support@tryriot.com.


7. FOR HOW LONG IS YOUR PERSONAL DATA STORED?


As a general rule, your personal data will only be retained for the period necessary for the accomplishment of the purposes for which said data was collected, or as necessary to fulfill legal or regulatory obligations.

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), it stores:

the data collected in case of a demo of the Riot Solution during three (3) year for directing marketing;

the data collected in case of contact request until the complete processing of such request;

the data collected in the context of your application to a job offer is store during two (2) years as from your last contact with Riot Security, except request of destruction of your file;

your traffic data will be kept for a period of thirteen (13) months from their collection.

Beyond, this data is store during five (5) years for evidence purposes.

When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), it stores the data provided or generated from the use of the Riot Solution during its contractual relationship with your employer. Beyond, this data is store during five (5) years for evidence purposes.


8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?


When you are using the publicly available Website
and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), you may directly contact Riot Security if you have any questions or wish to exercise the following rights by sending an email to support@tryriot.com.

When you are using the Rio Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), you may directly contact your employer if you have any questions or wish to exercise the following rights. If you are based in the EU/ EEA, you have the following rights over your personal data:

• you can request the access to your personal data in order to obtain clear, transparent and understandable information about how your personal data are processed and about your rights (as provided in this policy), as well as a copy of your personal data.

• you can request the rectification of your personal data in order to obtain the modification of your personal data if it is obsolete, inaccurate or incomplete.

• you can object to the processing of your personal data when the processing is based on legitimate interest. Your personal data will no longer process your personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, such as the respect of a legal obligation (e.g., legal obligation involving the retention of documents), or for the establishment, exercise or defense of legal claims.

• you can request the restriction of the processing during a limited period of time, in particular in order to carry out some verifications, where one of the following applies:

• you contest the accuracy of your personal data, the processing of which is thus restricted for the period necessary for the data controller to verify the accuracy of such personal data;

• the processing is unlawful and, rather than requesting its deletion, you prefer to restrict its use;

• the data controller no longer needs your personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;

• you have objected to the processing, which is thus restricted pending the verification of whether the compelling legitimate grounds of the data controller may override your interests, rights and freedoms.

• you can withdraw your consent when it has been obtained, without this withdrawal affecting the lawfulness of the processing operations previously carried out.

• you can ask to receive your personal data in a structured, commonly used and machine-readable format and also can request their transmission to a third party where technically feasible. This right is not exercised in all circumstances, it applies only if it fulfils all the following conditions:

• your request is only related to your personal data (excluding anonymous or third-party data);

• your request does not adversely affect the rights and freedoms of the data controller (in particular business secrecy) or third parties (in particular intellectual property rights);

• the processing is carried out by automated means (paper files are therefore not included);

• the processing is based on consent or the performance of a contract (to check if it is the case, you can see the section 3 of this policy).

• you can request the deletion of your personal data (or right to be forgotten), where one of the following legal grounds applies:

• you object to the processing of your personal data and there are no overriding legitimate reasons justifying to maintain the processing of your personal data;

• you decide to withdraw your consent on which the processing is based;

• your personal data are no longer useful for the original purposes for which they were collected or for any other type of processing;

• the use that is made of your data does not comply with the applicable legal or regulatory provisions.

Depending on your country of residence, you may have additional local rights with respect to our processing of your personal data.

It is specified that the exercise of these rights is based on the legal basis of the processing, as follows:

Service provider

Access

Rectification

Erasure

Restriction

Data portability

Objection

Consent

Yes

Yes

Yes

Yes

Yes

Yes

Steps prior to entering into a contract

Yes

Yes

Yes

Yes

Yes

No

Contract

Yes

Yes

Yes

Yes

Yes

No

Legitimate interest

Yes

Yes

Yes

Yes

No

Yes

Legal obligation

Yes

Yes

No

Yes

Yes

No

Under certain circumstances, certain specific information can be requested in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.

If needed, you may also lodge a complaint with your national data protection authority (the CNIL if you are located in France for example). This right may be exercised at any time and free of charge, at the exclusion of potential postal fees or expenses related to legal representation or assistance should you choose to engage third party assistance for the procedure.

9. Changes to this policy

This privacy policy may be amended from time to time, in particular to reflect the changes in the Website, Cybersecurity Services or the applicable regulations. Therefore, we recommend that you review this privacy policy each time you visit the Website or the Riot Solution.