Privacy policy

Last update: October, 18th, 2024

The website www.tryriot.com (hereinafter the “Website”) published by the company Riot Security, Inc. (hereinafter “Riot Security” or “we”), provides access to the Riot Solution (hereinafter the “Riot Solution”) for companies in order to train employees and raise their awareness about cybersecurity risks (hereinafter “Cybersecurity Services”).

While you are accessing, browsing, navigating and using the Website and the Riot Solution, you communicate your personal data to Riot Security. 

Please read this privacy policy carefully as it explains how Riot Security uses your personal data and how to exercise your rights. This privacy policy supplements the Terms & Conditions or any documents or notices that may refer to this privacy policy. 

Should you have any questions, you may directly contact Riot Security by sending an email to support@tryriot.com.

1. WHO IS THE DATA CONTROLLER OF YOUR PERSONAL DATA?

When you are using the publicly available Website

  • Riot Security is the data controller of personal data collected and processed for the administrative, operational and commercial management of the Website as publisher.

When you are using the Riot Solution:

  • your employer is the data controller of personal data collected and processed for the provision of the Cybersecurity Services to which it has subscribed;
  • Riot Security is the data processor, acting in the name and on behalf of your employer, of personal data collected and processed for the provision of the Cybersecurity Services to which your employer has subscribed.

In the European Union, Riot Security is represented by Riot Security SAS.

2. WHAT KIND OF PERSONAL DATA ARE PROCESSED?

All personal data is directly provided by your employer or you, one of our external partner, as well as generated from your use of the the Cybersecurity Services, namely:

Type of data

Examples of data

Identification data

First name, last name, photography

Contact details (professional and/or personal)

Email addresses, phone number

Professional data

Company, position, LinkedIn URL, seniority

Data related to your training and awareness about cybersecurity risks (depending on the Cybersecurity Services subscribed by your employer)

Training history, chatbot conversations, reactions to a phishing campaign (ignored email, opened email, reported email, compromised identifiers, etc.), strength of the password, contact details (professional and personal), assessment of your awareness level related to the cybersecurity risks, last SIM card swap

Data related to your exchanges with Riot Security

Date, subject, voice and video recordings and content of your exchanges with the internal services of Riot Security

Data related to your job application

Any information provided as part of your job application

Also, the Website automatically collect the following data via cookies and other trackers:

Type of data

Examples of data

Purposes

Internet or other electronic network activity information

Date and time of the connection, IP address, device type, browser type, operating system, location, viewed pages, session records, Solution logs

This data is necessary for the proper functioning of the Website and internal business analytics purposes such as audience measurement and the security of the Website and the Solution.. For more information on cookies and other trackers, please see the Cookies Policy.

The provision of certain types of personal data may be necessary or optional,in order to fully use the Website and the Cybersecurity Services subscribed by your employer. Mandatory data will be marked as such at the point of collection. If you refuse to provide mandatory data, Riot Security may not be able to process your request (e.g., creation of your Riot Security account, provisions of the Cybersecurity Services, processing your job application, etc.). 

3. FOR WHAT PURPOSES DOES RIOT SECURITY USE YOUR PERSONAL DATA?

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), your personal data is processed for the following reasons:

Purposes

Examples of use of your personal data

Legal bases

Booking a demo of the Riot Solution

  • to book a demo of the Riot Solution depending on your availabilities
  • to present you the Riot Solution
  • to contact you if necessary

To take steps prior to entering into a contract and your consent to demo recording

Processing your contact requests

  • to process your contact request
  • to contact you if necessary

Legitimate interest of Riot Security to respond to contact requests

Sending sales and marketing communications

  • to send you communications about the business activities and services of Riot Security that might interest you
  • to measure the performance of marketing and sales communications and ads

Legitimate interest of Riot Security to develop its activity (with your consent when required by the applicable law)

Managing your job application

  • to examine your job application
  • to organize an interview
  • if your job application is successful, to organize an interview to assess your professional skills in regard of the job

To take steps prior to entering into a contract

Including you in our talent pool

  • to let you know about new job opportunities that might interest you

Legitimate interest of Riot Security in feeding its talent pool

Improving the Website, the Cybersecurity Services, as well as your user experience 

  • to collect your feedback about the Cybersecurity Services subscribed by your employer and publish it on the Website (with your consent if applicable)
  • to ensure the proper functioning of the Website and the Riot Solution
  • to measure the audience of the Website and analyze the use of the Riot Solution
  • to take steps designed to protect the security of the Website and the Riot Solution

Legitimate interest of Riot Technology to improve the Website, the Cybersecurity Services, as well as your user experience 

Your consent collected through the Cookies banner

Pre-litigation or litigation management

  • to take action against any identified breach
  • to manage any dispute or litigation

Legitimate interest of Riot Security in defending its rights and interests

Compliance with legal and regulatory obligations  

  • to comply with legal and regulatory obligations
  • to process your requests to exercise your rights

Legal and regulatory obligations to which Riot Technology is subject as data controller

Billing and contract management

  • to allow the contracting of the employer to the Cybersecurity Services
  • to proceed to the payment of the subscribed Cybersecurity Services
  • to provide you with the invoices in your "Billing" space

Performance of the contract

When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), your personal data is processed only for the following reasons:

Purposes

Examples of use of your personal data

Legal bases that may be used by the controller

Creation and management of your Riot Security account

to create your Riot Security account (via your Slack, Gmail or Outlook identifiers) as manager to allow you to authenticate yourself on the Riot Solution and access the dashboard related to the Cybersecurity Services subscribed by your employers to allow you to update your account as needed

Legitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems

Provision of the Cybersecurity Services subscribed by your employer

to provide you with the Cybersecurity Services subscribed by your employer (trainings, phishing exercises, etc.)  to make statistics on your awareness level about the cybersecurity risks

Legitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems

Compliance with legal and regulatory obligations  

to comply with legal and regulatory obligations to process your requests to exercise your rights 

Legal and regulatory obligations to which Riot Security is subject as data processor

At your employer's discretion, the Riot Solution can deploy features involving artificial intelligence to offer you high-performance Cybersecurity Services and improve user awareness of data protection and cybersecurity.

4. WHO CAN ACCESS YOUR PERSONAL DATA?

Recipients

Purposes

Riot Security and its duly authorized employees

For the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy

Slack Technologies, LLC

For the purpose of authenticating you on the Riot Solution using your Slack identifiers to access your Riot Security account

Google, Inc.

For the purpose of authenticating you on the Riot Solution using your Gmail identifiers to access your Riot Security account. Riot phishing reporter use and transfer to any other app of information received from Google API will adhere to Google API Services User Data Policy, including the Limited use requirements.

Microsoft, Inc.

For the sole purpose of authenticating you on the Riot Solution using your Outlook identifiers to access your Riot Security account

Service providers of Riot Security

(hosting provider, service providers, IT solutions publishers, etc.) 

Exclusively for operational and technical purposes related to the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy

Administrative or judiciary authorities

Exclusively in the case of an express and justified request or in case of an alleged violation of legal or regulatory provisions

Lawyers and all interested parties

Exclusively in the case of the management of possible disputes and other legal matters where appropriate

Wireless carriers

When using the Lookup Sim Swap service, you authorize your wireless carrier to use or disclose information about your account and your wireless device, if available, to Riot Security or its service provider for the duration of your business relationship, solely to help them identify you or your wireless device and to prevent fraud.

Other third parties

Following or during a restructuring, reconstitution,  acquisition, debt financing, merger, sale of assets of Riot Security or a similar transaction, as well as in case of insolvency, bankruptcy or receivership where personal data are transferred to one or more third parties as assets of Riot Security

5. WILL YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN UNION/EUROPEAN ECONOMIC AREA? 

As far as possible, your personal data is processed within the European Union (EU)/European Economic Area (EEA). However, Riot Security and some of its service providers are located outside of the EU/EEA. 

Riot Security complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Riot Security has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

If you have an inquiry or complaint, please contact dpo@tryriot.com so Riot Security can address it. If Riot Security can’t resolve your complaint, you may also contact your local data protection authority within the European Economic Area or the United Kingdom (as applicable), with which Riot Security commits to cooperate, for unresolved complaints concerning the handling of your personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. It is also possible, under certain conditions, to invoke binding arbitration for complaints not resolved by any of the other DPF mechanisms, as outlined more fully on the DPF website. Please note as well that Riot Security is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

In some cases, Riot Security may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. More information about the safeguards that have been implemented to protect transfers of personal data is available in the Data Processing Agreement. If Riot Security transfers your personal data onward to a third party, it will continue to remain liable under the DPF Principles.

When your personal data is transferred outside the EU/EEA, Riot Security will, in the absence of an adequacy decision and after that an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal data is established has been carried out, implement all necessary measures through the adoption of appropriate safeguards (such as standard contractual clauses). A copy of such safeguards can be obtained by sending an email directly to Riot Security at dpo@tryriot.com.

Service provider

Third country

Adopted safeguard

Riot Security, Inc.

United States

EU-US Adequacy decision

Slack Technologies, LLC

United States

EU-US Adequacy decision

Google, Inc.

United States

EU-US Adequacy decision

Microsoft, Inc.

United States

EU-US Adequacy decision

Intercom, Inc.

United States

EU-US Adequacy decision

Twilio, Inc.

United States

EU-US Adequacy decision

Mailgun Technologies, Inc.

United States

Standard Contractual Clauses

Functional Software, Inc.

United States

EU-US Adequacy decision

Datadog, Inc.

United States

EU-US Adequacy decision

HubSpot, Inc.

United States

EU-US Adequacy decision

Temporal, Inc.

United States

Standard Contractual Clauses

Airtable, Inc.

United States

Standard Contractual Clauses

Stripe, Inc.

United States

EU-US Adequacy decision

Calendly, Inc.

United States

EU-US Adequacy decision

Docusign, Inc.

United States

Standard Contractual Clauses

OpenAI OpCo, LLC

United States

Standard Contractual Clauses

Zoom, Inc.

United States

Standard Contractual Clauses

Superlative Enterprises Pty Ltd

United States

Standard Contractual Clauses

LinkedIn

United States

EU-US Adequacy decision

Google Ads

United States

EU-US Adequacy decision

Lever Inc.

United States

Standard Contractual Clauses

6. How does RIOT SECURITY protect your personal data?

Riot Security has implemented technical and organizational measures to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or divulgation of your personal data. These measures will guarantee a level of security appropriate for the data and will take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected.

Riot Security guarantees that all members of its personnel and any other person processing your personal data will respect the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data. In this context, Riot Security reviews and updates its practices regularly to enhance your privacy and ensure that its internal policies are followed.

If you have found a vulnerability or would like to report a security incident, you may send an email to  support@tryriot.com.

7. FOR HOW LONG IS YOUR PERSONAL DATA STORED?

As a general rule, your personal data will only be retained for the period necessary for the accomplishment of the purposes for which said data was collected, or as necessary to fulfill legal or regulatory obligations.

  • When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), it stores: 
  • the data collected in case of a demo of the Riot Solution during three (3) year for directing marketing;
  • the data collected in case of contact request until the complete processing of such request;
  • the data collected in the context of your application to a job offer is store during two (2) years as from your last contact with Riot Security, except request of destruction of your file;
  • your traffic data will be kept for a period up to thirteen (13) months from their collection.
  • When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), it stores the data provided or generated from the use of the Riot Solution during its contractual relationship with your employer. Beyond, this data is stored during one (1) year, deleted upon request or anonymized.

8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), you may directly contact Riot Security if you have any questions or wish to exercise the following rights by sending an email to dpo@tryriot.com.

When you are using the Rio Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), you may directly contact your employer if you have any questions or wish to exercise the following rights. 

If you are based in the EU/ EEA, you have the following rights over your personal data:

  • you can request access to your personal data in order to obtain clear, transparent and understandable information about how your personal data are processed and about your rights (as provided in this policy), as well as a copy of your personal data. 
  • you can request the rectification of your personal data in order to obtain the modification of your personal data if it is obsolete, inaccurate or incomplete.
  • you can object to the processing of your personal data when the processing is based on legitimate interest. Your personal data will no longer process your personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, such as the respect of a legal obligation (e.g., legal obligation involving the retention of documents), or for the establishment, exercise or defense of legal claims.
  • you can request the restriction of the processing during a limited period of time, in particular in order to carry out some verifications, where one of the following applies:
  • you contest the accuracy of your personal data, the processing of which is thus restricted for the period necessary for the data controller to verify the accuracy of such personal data;
  • the processing is unlawful and, rather than requesting its deletion, you prefer to restrict its use;
  • the data controller no longer needs your personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;
  • you have objected to the processing, which is thus restricted pending the verification of whether the compelling legitimate grounds of the data controller may override your interests, rights and freedoms.
  • you can withdraw your consent when it has been obtained, without this withdrawal affecting the lawfulness of the processing operations previously carried out.
  • you can ask to receive your personal data in a structured, commonly used and machine-readable format and also can request their transmission to a third party where technically feasible. This right is not exercised in all circumstances, it applies only if it fulfills all the following conditions: 
  • your request is only related to your personal data (excluding anonymous or third-party data); 
  • your request does not adversely affect the rights and freedoms of the data controller (in particular business secrecy) or third parties (in particular intellectual property rights);
  • the processing is carried out by automated means (paper files are therefore not included); 
  • the processing is based on consent or the performance of a contract (to check if it is the case, you can see the section 3 of this policy). 
  • you can request the deletion of your personal data (or right to be forgotten), where one of the following legal grounds applies:
  • you object to the processing of your personal data and there are no overriding legitimate reasons justifying to maintain the processing of your personal data; 
  • you decide to withdraw your consent on which the processing is based;
  • your personal data are no longer useful for the original purposes for which they were collected or for any other type of processing;
  • the use that is made of your data does not comply with the applicable legal or regulatory provisions. 
  • Depending on your country of residence, you may have additional local rights with respect to our processing of your personal data.

It is specified that the exercise of these rights is based on the legal basis of the processing, as follows:

Access

Rectification

Erasure

Restriction

Data portability

Objection

Consent

Yes

Yes

Yes

Yes

Yes

Withdrawal of consent

Steps prior to entering into a contract

Yes

Yes

Yes

Yes

Yes

No

Contract

Yes

Yes

Yes

Yes

Yes

No

Legitimate interest

Yes

Yes

Yes

Yes

No

Yes

Legal obligation

Yes

Yes

No

Yes

No

No

Under certain circumstances, certain specific information can be requested in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.

If needed, you may also lodge a complaint with your national data protection authority (the CNIL if you are located in France for example). This right may be exercised at any time and free of charge, at the exclusion of potential postal fees or expenses related to legal representation or assistance should you choose to engage third party assistance for the procedure.

9. Changes to this policy

This privacy policy may be amended from time to time, in particular to reflect the changes in the Website, Cybersecurity Services or the applicable regulations. Therefore, we recommend that you review this privacy policy each time you visit the Website or the Riot Solution.