Last update: November, 3rd, 2023
The website www.tryriot.com (hereinafter the “Website”) published by the company Riot Security, Inc. (hereinafter “Riot Security” or “we”), provides access to the Riot Solution (hereinafter the “Riot Solution”) for companies in order to train employees and raise their awareness about cybersecurity risks (hereinafter “Cybersecurity Services”).
While you are accessing, browsing, navigating and using the Website and the Riot Solution, you communicate your personal data to Riot Security.
Please read this privacy policy carefully as it explains how Riot Security uses your personal data and how to exercise your rights. This privacy policy supplements the Terms & Conditions or any documents or notices that may refer to this privacy policy.
Should you have any questions, you may directly contact Riot Security by sending an email to support@tryriot.com.
1. WHO IS THE DATA CONTROLLER OF YOUR PERSONAL DATA?
When you are using the publicly available Website:
- Riot Security is the data controller of personal data collected and processed for the administrative, operational and commercial management of the Website as publisher.
When you are using the Riot Solution:
- your employer is the data controller of personal data collected and processed for the provision of the Cybersecurity Services to which it has subscribed;
- Riot Security is the data processor, acting in the name and on behalf of your employer, of personal data collected and processed for the provision of the Cybersecurity Services to which your employer has subscribed.
In the European Union, Riot Security is represented by Riot Security SAS.
2. WHAT KIND OF PERSONAL DATA ARE PROCESSED?
All personal data is directly provided by your employer or you, one of our external partner, as well as generated from your use of the the Cybersecurity Services, namely:
| Type of data | Examples of data |
| Identification data | First name, last name, photography |
| Contact details (professional and/or personal) | Email address, telephone number |
| Professional data | Company (name and sector), position |
| Data related to your training and awareness about cybersecurity risks (depending on the Cybersecurity Services subscribed by your employer) | Training history, reactions to a phishing campaign (ignored email, opened email, compromised identifiers, etc.), strength of the password, contact details (professional and personal), assessment of your awareness level related to the cybersecurity risks |
| Data related to your exchanges with Riot Security | Date, subject, voice and video recordings and content of your exchanges with the internal services of Riot Security |
| Data related to your job application | Any information provided as part of your job application |
Also, the Website automatically collect the following data via cookies and other trackers:
| Type of data | Examples of data | Purposes |
| Internet or other electronic network activity information | Date and time of the connection, IP address, device type, browser type, operating system, viewed pages | This data is necessary for the proper functioning of the Website and internal business analytics purposes such as audience measurement. For more information on cookies and other trackers, please see the Cookies Policy. |
The provision of certain types of personal data may be necessary or optional,in order to fully use the Website and the Cybersecurity Services subscribed by your employer. Mandatory data will be marked as such at the point of collection. If you refuse to provide mandatory data, Riot Security may not be able to process your request (e.g., creation of your Riot Security account, provisions of the Cybersecurity Services, processing your job application, etc.).
3. FOR WHAT PURPOSES DOES RIOT SECURITY USE YOUR PERSONAL DATA?
When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), your personal data is processed for the following reasons:
| Purposes | Examples of use of your personal data | Legal bases |
| Booking a demo of the Riot Solution |
|
To take steps prior to entering into a contract and your consent to demo recording |
| Processing your contact requests |
|
Legitimate interest of Riot Security to respond to contact requests |
| Sending marketing communications |
|
Legitimate interest of Riot Security to develop its activity (with your consent when required by the applicable law) |
| Managing your job application |
|
To take steps prior to entering into a contract |
| Including you in our talent pool |
|
Legitimate interest of Riot Security in feeding its talent pool |
| Improving the Website, the Cybersecurity Services, as well as your user experience |
|
Legitimate interest of Riot Technology to improve the Website, the Cybersecurity Services, as well as your user experience |
| Pre-litigation or litigation management |
|
Legitimate interest of Riot Security in defending its rights and interests |
| Compliance with legal and regulatory obligations |
|
Legal and regulatory obligations to which Riot Technology is subject as data controller |
| Billing and contract management |
|
Performance of the contract |
When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), your personal data is processed only for the following reasons:
| Purposes | Examples of use of your personal data | Legal bases that may be used by the controller |
| Creation and management of your Riot Security account | to create your Riot Security account (via your Slack, Gmail or Outlook identifiers) as manager to allow you to authenticate yourself on the Riot Solution and access the dashboard related to the Cybersecurity Services subscribed by your employers to allow you to update your account as needed | Legitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems |
| Provision of the Cybersecurity Services subscribed by your employer | to provide you with the Cybersecurity Services subscribed by your employer (trainings, phishing exercises, etc.) to make statistics on your awareness level about the cybersecurity risks | Legitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems |
| Monitoring on the web (only if your employer wanted to offer you this feature) | to check on the web if your contacts details (professional and personal) are available | Your consent |
| Compliance with legal and regulatory obligations | to comply with legal and regulatory obligations to process your requests to exercise your rights | Legal and regulatory obligations to which Riot Security is subject as data processor |
4. WHO CAN ACCESS YOUR PERSONAL DATA?
| Recipients | Purposes |
| Riot Security and its duly authorized employees | For the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy |
| Slack Technologies, LLC | For the sole purpose of authenticating you on the Riot Solution using your Slack identifiers to access your Riot Security account |
| Google, Inc. | For the sole purpose of authenticating you on the Riot Solution using your Gmail identifiers to access your Riot Security account. Riot phishing reporter use and transfer to any other app of information received from Google API will adhere to Google API Services User Data Policy, including the Limited use requirements. |
| Microsoft, Inc. | For the sole purpose of authenticating you on the Riot Solution using your Outlook identifiers to access your Riot Security account |
| Service providers of Riot Security (hosting provider, IT service providers, IT solutions publishers, etc.) | Exclusively for operational and technical purposes related to the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy |
| Administrative or judiciary authorities | Exclusively in the case of an express and justified request or in case of an alleged violation of legal or regulatory provisions |
| Lawyers and all interested parties | Exclusively in the case of the management of possible disputes and other legal matters where appropriate |
| Other third parties | Following or during a restructuring, reconstitution, acquisition, debt financing, merger, sale of assets of Riot Security or a similar transaction, as well as in case of insolvency, bankruptcy or receivership where personal data are transferred to one or more third parties as assets of Riot Security |
5. WILL YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN UNION/EUROPEAN ECONOMIC AREA?
As far as possible, your personal data is processed within the European Union (EU)/European Economic Area (EEA). However, Riot Security and some of its service providers are located outside of the EU/EEA.
Riot Security complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Riot Security has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
If you have an inquiry or complaint, please contact dpo@tryriot.com so Riot Security can address it. If Riot Security can’t resolve your complaint, you may also contact your local data protection authority within the European Economic Area or the United Kingdom (as applicable), with which Riot Security commits to cooperate, for unresolved complaints concerning the handling of your personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. It is also possible, under certain conditions, to invoke binding arbitration for complaints not resolved by any of the other DPF mechanisms, as outlined more fully on the DPF website. Please note as well that Riot Security is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
In some cases, Riot Security may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. More information about the safeguards that have been implemented to protect transfers of personal data is available in the Data Processing Agreement. If Riot Security transfers your personal data onward to a third party, it will continue to remain liable under the DPF Principles.
When your personal data is transferred outside the EU/EEA, Riot Security will, in the absence of an adequacy decision and after that an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal data is established has been carried out, implement all necessary measures through the adoption of appropriate safeguards (such as standard contractual clauses). A copy of such safeguards can be obtained by sending an email directly to Riot Security at dpo@tryriot.com.
| Service provider | Third country | Adopted safeguard |
| Riot Security, Inc. | United States | EU-US Adequacy decision |
| Slack Technologies, LLC | United States | EU-US Adequacy decision |
| Google, Inc. | United States | EU-US Adequacy decision |
| Microsoft, Inc. | United States | EU-US Adequacy decision |
| Intercom, Inc. | United States | EU-US Adequacy decision |
| Twilio, Inc. | United States | EU-US Adequacy decision |
| FullStory, Inc. | United States | EU-US Adequacy decision |
| Mailgun Technologies, Inc. | United States | Standard Contractual Clauses |
| Functional Software, Inc. | United States | EU-US Adequacy decision |
| Datadog, Inc. | United States | EU-US Adequacy decision |
| HubSpot, Inc. | United States | EU-US Adequacy decision |
| Temporal, Inc. | United States | Standard Contractual Clauses |
| Airtable, Inc. | United States | Standard Contractual Clauses |
| Stripe, Inc. | United States | EU-US Adequacy decision |
| Tagis, Inc. | United States | Standard Contractual Clauses |
| Calendly, Inc. | United States | EU-US Adequacy decision |
| Docusign, Inc. | United States | Standard Contractual Clauses |
| OpenAI OpCo, LLC | United States | Standard Contractual Clauses |
| Zoom, Inc. | United States | Standard Contractual Clauses |
| ZenLeads, Inc. dba Apollo | United States | Standard Contractual Clauses |
| Aircall.io, Inc. | United States | Standard Contractual Clauses |
| Superlative Enterprises Pty Ltd | United States | Standard Contractual Clauses |
6. How does RIOT SECURITY protect your personal data?
Riot Security has implemented technical and organizational measures to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or divulgation of your personal data. These measures will guarantee a level of security appropriate for the data and will take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected.
Riot Security guarantees that all members of its personnel and any other person processing your personal data will respect the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data. In this context, Riot Security reviews and updates its practices regularly to enhance your privacy and ensure that its internal policies are followed.
If you have found a vulnerability or would like to report a security incident, you may send an email to support@tryriot.com.
7. FOR HOW LONG IS YOUR PERSONAL DATA STORED?
As a general rule, your personal data will only be retained for the period necessary for the accomplishment of the purposes for which said data was collected, or as necessary to fulfill legal or regulatory obligations.
- When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), it stores:
- the data collected in case of a demo of the Riot Solution during three (3) year for directing marketing;
- the data collected in case of contact request until the complete processing of such request;
- the data collected in the context of your application to a job offer is store during two (2) years as from your last contact with Riot Security, except request of destruction of your file;
- your traffic data will be kept for a period of twelve (12) months from their collection.
- When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), it stores the data provided or generated from the use of the Riot Solution during its contractual relationship with your employer. Beyond, this data is stored during one (1) year, deleted at the request of the employer or anonymized with the employer's permission for research purposes.
8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?
When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), you may directly contact Riot Security if you have any questions or wish to exercise the following rights by sending an email to dpo@tryriot.com.
When you are using the Rio Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), you may directly contact your employer if you have any questions or wish to exercise the following rights.
If you are based in the EU/ EEA, you have the following rights over your personal data:
- you can request access to your personal data in order to obtain clear, transparent and understandable information about how your personal data are processed and about your rights (as provided in this policy), as well as a copy of your personal data.
- you can request the rectification of your personal data in order to obtain the modification of your personal data if it is obsolete, inaccurate or incomplete.
- you can object to the processing of your personal data when the processing is based on legitimate interest. Your personal data will no longer process your personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, such as the respect of a legal obligation (e.g., legal obligation involving the retention of documents), or for the establishment, exercise or defense of legal claims.
- you can request the restriction of the processing during a limited period of time, in particular in order to carry out some verifications, where one of the following applies:
- you contest the accuracy of your personal data, the processing of which is thus restricted for the period necessary for the data controller to verify the accuracy of such personal data;
- the processing is unlawful and, rather than requesting its deletion, you prefer to restrict its use;
- the data controller no longer needs your personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;
- you have objected to the processing, which is thus restricted pending the verification of whether the compelling legitimate grounds of the data controller may override your interests, rights and freedoms.
- you can withdraw your consent when it has been obtained, without this withdrawal affecting the lawfulness of the processing operations previously carried out.
- you can ask to receive your personal data in a structured, commonly used and machine-readable format and also can request their transmission to a third party where technically feasible. This right is not exercised in all circumstances, it applies only if it fulfills all the following conditions:
- your request is only related to your personal data (excluding anonymous or third-party data);
- your request does not adversely affect the rights and freedoms of the data controller (in particular business secrecy) or third parties (in particular intellectual property rights);
- the processing is carried out by automated means (paper files are therefore not included);
- the processing is based on consent or the performance of a contract (to check if it is the case, you can see the section 3 of this policy).
- you can request the deletion of your personal data (or right to be forgotten), where one of the following legal grounds applies:
- you object to the processing of your personal data and there are no overriding legitimate reasons justifying to maintain the processing of your personal data;
- you decide to withdraw your consent on which the processing is based;
- your personal data are no longer useful for the original purposes for which they were collected or for any other type of processing;
- the use that is made of your data does not comply with the applicable legal or regulatory provisions.
- Depending on your country of residence, you may have additional local rights with respect to our processing of your personal data.
It is specified that the exercise of these rights is based on the legal basis of the processing, as follows:
| Access | Rectification | Erasure | Restriction | Data portability | Objection | |
| Consent | Yes | Yes | Yes | Yes | Yes | Withdrawal of consent |
| Steps prior to entering into a contract | Yes | Yes | Yes | Yes | Yes | No |
| Contract | Yes | Yes | Yes | Yes | Yes | No |
| Legitimate interest | Yes | Yes | Yes | Yes | No | Yes |
| Legal obligation | Yes | Yes | No | Yes | No | No |
Under certain circumstances, certain specific information can be requested in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.
If needed, you may also lodge a complaint with your national data protection authority (the CNIL if you are located in France for example). This right may be exercised at any time and free of charge, at the exclusion of potential postal fees or expenses related to legal representation or assistance should you choose to engage third party assistance for the procedure.
9. Changes to this policy
This privacy policy may be amended from time to time, in particular to reflect the changes in the Website, Cybersecurity Services or the applicable regulations. Therefore, we recommend that you review this privacy policy each time you visit the Website or the Riot Solution.