Privacy policy

The website www.tryriot.com (hereinafter the “Website”) published by the company Riot Security, Inc. (hereinafter “Riot Security” or “we”), provides access to the Riot Solution (hereinafter the “Riot Solution”) for companies in order to train employees and raise their awareness about cybersecurity risks (hereinafter “Cybersecurity Services”).

While you are accessing, browsing, navigating and using the Website and the Riot Solution, you communicate your personal data to Riot Security. 

Please read this privacy policy carefully as it explains how Riot Security uses your personal data and how exercise your rights. This privacy policy supplements the Terms & Conditions or any documents or notices that may refer to this privacy policy. 

Should you have any questions, you may directly contact Riot Security by sending an email to support@tryriot.com.

1. WHO IS THE DATA CONTROLLER OF YOUR PERSONAL DATA?

When you are using the publicly available Website

  • Riot Security is the data controller of personal data collected and processed for the administrative, operational and commercial management of the Website as publisher.

When you are using the Riot Solution:

  • your employer is the data controller of personal data collected and processed for the provision of the Cybersecurity Services to which it has subscribed;
  • Riot Security is the data processor, acting in the name and on behalf of your employer, of personal data collected and processed for the provision of the Cybersecurity Services to which your employer has subscribed.

2. WHAT KIND OF PERSONAL DATA ARE PROCESSED?

All personal data directly provided by your employer or you, as well as all personal data generated from your use of the the Cybersecurity Services, namely:

Type of dataExamples of data
Identification dataFirst name, last name, photography
Contact details (professional and/or personal)Email address, telephone number
Professional dataCompany (name and sector), position
Data related to your training and awareness about cybersecurity risks (depending on the Cybersecurity Services subscribed by your employer)Training history, reactions to a phishing campaign (ignored email, opened email, compromised identifiers, etc.), strength of the password, contact details (professional and personal) available on the web, assessment of your awareness level related to the cybersecurity risks
Data related to your exchanges with Riot SecurityDate, subject and content of your exchanges with the internal services of Riot Security
Data related to your job applicationAny information provided as part of your job application

Also, the Website automatically collect the following data via cookies and other trackers:

Type of dataExamples of dataPurposes
Internet or other electronic network activity informationDate and time of the connection, IP address, device type, browser type, operating system, viewed pagesThis data is necessary for the proper functioning of the Website and internal business analytics purposes such as audience measurement. For more information on cookies and other trackers, please see the Cookies Policy.

The provision of certain types of personal data may be necessary or optional,in order to fully use the Website and the Cybersecurity Services subscribed by your employer. Mandatory data will be marked as such at the point of collection. If you refuse to provide mandatory data, Riot Security may not be able to process your request (e.g., creation of your Riot Security account, provisions of the Cybersecurity Services, processing your job application, etc.). 

3. FOR WHAT PURPOSES DOES RIOT SECURITY USE YOUR PERSONAL DATA?

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), your personal data is processed only for the following reasons:

PurposesExamples of use of your personal dataLegal bases
Booking a demo of the Riot Solutionto book a demo of the Riot Solution depending on your availabilities to present you the Riot Solution to contact you if necessaryTo take steps prior to entering into a contract
Processing your contact requeststo process your contact request  to contact you if necessaryLegitimate interest of Riot Security to respond to contact requests
Sending marketing communicationsto send you communications about the business activities and services of Riot Security that might interest youLegitimate interest of Riot Security to develop its activity (with your consent when required by the applicable law)
Managing your job application                                             to examine your job application to organize an interview if your job application is successful, to organize an interview to assess your professional skills in regard of the jobTo take steps prior to entering into a contract
Including you in our talent poolto let you know about new job opportunities that might interest youLegitimate interest of Riot Security in feeding its talent pool
Improving the Website, the Cybersecurity Services, as well as your user experience to collect your feedback about the Cybersecurity Services subscribed by your employer and publish it on the Website (with your consent if applicable)  to ensure the proper functioning of the Website and the Riot Solution to take steps designed to protect the security of the Website and the Riot SolutionLegitimate interest of Riot Technology to improve the Website, the Cybersecurity Services, as well as your user experience 
Pre-litigation or litigation managementto take action against any identified breach to manage any dispute or litigationLegitimate interest of Riot Security in defending its rights and interests
Compliance with legal and regulatory obligations  to comply with legal and regulatory obligations  to process your requests to exercise your rights Legal and regulatory obligations to which Riot Technology is subject as data controller

When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), your personal data is processed only for the following reasons:

PurposesExamples of use of your personal dataLegal bases that may be used by the controller
Creation and management of your Riot Security accountto create your Riot Security account (via your Slack, Gmail or Outlook identifiers) as manager to allow you to authenticate yourself on the Riot Solution and access the dashboard related to the Cybersecurity Services suscribed by your employers to allow you to update your account as neededLegitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems
Provision of the Cybersecurity Services subscribed by your employerto provide you with the Cybersecurity Services subscribed by your employer (trainings, phishing exercises, etc.)  to make statistics on your awareness level about the cybersecurity risksLegitimate interest of your employer to train and raise the awareness of their employees about the cybersecurity risks, in order to protect its information systems
Monitoring on the web                     (only if your employer wanted to offer you this feature)to check on the web if your contacts details (professional and personal) are availableYour consent
Compliance with legal and regulatory obligations  to comply with legal and regulatory obligations  to process your requests to exercise your rights Legal and regulatory obligations to which Riot Technology is subject as data processor

4. WHO CAN ACCESS YOUR PERSONAL DATA?

RecipientsPurposes
Riot Security and its duly authorized employeesFor the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy
Slack Technologies, LLCFor the sole purpose of authenticating you on the Riot Solution using your Slack identifiers to access your Riot Security account
Google, Inc.For the sole purpose of authenticating you on the Riot Solution using your Gmail identifiers to access your Riot Security account. Riot phishing reporter use and transfer to any other app of information received from Google API will adhere to Google API Services User Data Policy, including the Limited use requirements.
Microsoft, Inc.For the sole purpose of authenticating you on the Riot Solution using your Outlook identifiers to access your Riot Security account
Service providers of Riot Security                                  (hosting provider, IT service providers, IT solutions publishers, etc.) Exclusively for operational and technical purposes related to the management of the Website and the provisions of the Cybersecurity Services, as detailed in the section 3 of this policy
Administrative or judiciary authoritiesExclusively in the case of an express and justified request or in case of an alleged violation of legal or regulatory provisions
Lawyers and all interested partiesExclusively in the case of the management of possible disputes and other legal matters where appropriate
Other third partiesFollowing or during a restructuring, reconstitution,  acquisition, debt financing, merger, sale of assets of Riot Security or a similar transaction, as well as in case of insolvency, bankruptcy or receivership where personal data are transferred to one or more third parties as assets of Riot Security

5. WILL YOUR PERSONAL DATA BE TRANSFERRED OUTSIDE OF THE EUROPEAN UNION/EUROPEAN ECONOMIC AREA? 

As far as possible, your personal data is processed within the European Union (EU)/European Economic Area (EEA). However, Riot Security and somes of its service providers are located outside of the EU/EEA. 

When your personal data is transferred outside the EU/EEA, Riot Security will, in the absence of an adequacy decision and after that an assessment of the level of protection of your rights on the territory of the third country where the recipient of your personal data is established has been carried out, implement all necessary measures through the adoption of appropriate safeguards (such as standard contractual clauses). A copy of such safeguards can be obtained by sending an email directly to Riot Security at support@tryriot.com.

Service providerThird countryAdopted safeguard
Riot Security, Inc.United StatesStandard Contractual Clauses
Amazon Web Services, Inc.United StatesStandard Contractual Clauses
Slack Technologies, LLCUnited StatesStandard Contractual Clauses
Google, Inc.United StatesStandard Contractual Clauses
Microsoft, Inc.United StatesStandard Contractual Clauses
Intercom, Inc.United StatesStandard Contractual Clauses
Segment.io, Inc.United StatesStandard Contractual Clauses
FullStory, Inc.United StatesStandard Contractual Clauses
Mailgun Technologies, Inc.United StatesStandard Contractual Clauses
Functional Software, Inc.United StatesStandard Contractual Clauses
Datadog, Inc.United StatesStandard Contractual Clauses
HubSpot, Inc.United StatesStandard Contractual Clauses

6. How does RIOT SECURITY protect your personal data?

Riot Security has implemented technical and organizational measures to protect your personal data, in particular against potential data breaches likely to cause, either by accident or unlawfully, the destruction, loss, modification, unauthorized access or divulgation of your personal data. These measures will guarantee a level of security appropriate for the data and will take into account the state of the art and the cost of implementation in relation to the risks and nature of the data to be protected.

Riot Security guarantees that all members of its personnel and any other person processing your personal data will respect the internal rules and procedures related to the processing of personal data, including the technical and organizational security measures put in place to protect your personal data. In this context, Riot Security reviews and updates its practices regularly to enhance your privacy and ensure that its internal policies are followed.

If you have found a vulnerability or would like to report a security incident, you may send an email to  support@tryriot.com.

7. FOR HOW LONG IS YOUR PERSONAL DATA STORED?

As a general rule, your personal data will only be retained for the period necessary for the accomplishment of the purposes for which said data was collected, or as necessary to fulfill legal or regulatory obligations.

  • When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), it stores: 
  • the data collected in case of a demo of the Riot Solution during three (3) year for directing marketing;
  • the data collected in case of contact request until the complete processing of such request;
  • the data collected in the context of your application to a job offer is store during two (2) years as from your last contact with Riot Security, except request of destruction of your file;
  • your traffic data will be kept for a period of thirteen (13) months from their collection.

Beyond, this data is store during five (5) years for evidence purposes.

  • When you are using the Riot Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), it stores the data provided or generated from the use of the Riot Solution during its contractual relationship with your employer. Beyond, this data is store during five (5) years for evidence purposes.

8. WHAT ARE YOUR RIGHTS REGARDING YOUR PERSONAL DATA?

When you are using the publicly available Website and Riot Security therefore acts as data controller (as indicated in section 1 of this policy), you may directly contact Riot Security if you have any questions or wish to exercise the following rights by sending an email to support@tryriot.com.

When you are using the Rio Solution and Riot Security therefore acts as data processor (as indicated in section 1 of this policy), you may directly contact your employer if you have any questions or wish to exercise the following rights. 

If you are based in the EU/ EEA, you have the following rights over your personal data:

  • you can request the access to your personal data in order to obtain clear, transparent and understandable information about how your personal data are processed and about your rights (as provided in this policy), as well as a copy of your personal data. 
  • you can request the rectification of your personal data in order to obtain the modification of your personal data if it is obsolete, inaccurate or incomplete.
  • you can object to the processing of your personal data when the processing is based on legitimate interest. Your personal data will no longer process your personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, such as the respect of a legal obligation (e.g., legal obligation involving the retention of documents), or for the establishment, exercise or defense of legal claims.
  • you can request the restriction of the processing during a limited period of time, in particular in order to carry out some verifications, where one of the following applies:
  • you contest the accuracy of your personal data, the processing of which is thus restricted for the period necessary for the data controller to verify the accuracy of such personal data;
  • the processing is unlawful and, rather than requesting its deletion, you prefer to restrict its use;
  • the data controller no longer needs your personal data for the purposes of the processing, but you need them for the establishment, exercise or defense of legal claims;
  • you have objected to the processing, which is thus restricted pending the verification of whether the compelling legitimate grounds of the data controller may override your interests, rights and freedoms.
  • you can withdraw your consent when it has been obtained, without this withdrawal affecting the lawfulness of the processing operations previously carried out.
  • you can ask to receive your personal data in a structured, commonly used and machine-readable format and also can request their transmission to a third party where technically feasible. This right is not exercised in all circumstances, it applies only if it fulfils all the following conditions: 
  • your request is only related to your personal data (excluding anonymous or third-party data); 
  • your request does not adversely affect the rights and freedoms of the data controller (in particular business secrecy) or third parties (in particular intellectual property rights);
  • the processing is carried out by automated means (paper files are therefore not included); 
  • the processing is based on consent or the performance of a contract (to check if it is the case, you can see the section 3 of this policy). 
  • you can request the deletion of your personal data (or right to be forgotten), where one of the following legal grounds applies:
  • you object to the processing of your personal data and there are no overriding legitimate reasons justifying to maintain the processing of your personal data; 
  • you decide to withdraw your consent on which the processing is based;
  • your personal data are no longer useful for the original purposes for which they were collected or for any other type of processing;
  • the use that is made of your data does not comply with the applicable legal or regulatory provisions. 
  • Depending on your country of residence, you may have additional local rights with respect to our processing of your personal data.

It is specified that the exercise of these rights is based on the legal basis of the processing, as follows:


AccessRectificationErasureRestrictionData portabilityObjection
ConsentYesYesYesYesYesWithdrawal of consent
Steps prior to entering into a contractYesYesYesYesYesNo
ContractYesYesYesYesYesNo
Legitimate interestYesYesYesYesNoYes
Legal obligationYesYesNoYesNoNo

Under certain circumstances, certain specific information can be requested in order to confirm your identity and ensure the exercise of your rights. This is another appropriate security measure to ensure that personal data is not disclosed to an individual who does not have the right to receive it.

If needed, you may also lodge a complaint with your national data protection authority (the CNIL if you are located in France for example). This right may be exercised at any time and free of charge, at the exclusion of potential postal fees or expenses related to legal representation or assistance should you choose to engage third party assistance for the procedure.

9. Changes to this policy

This privacy policy may be amended from time to time, in particular to reflect the changes in the Website, Cybersecurity Services or the applicable regulations. Therefore, we recommend that you review this privacy policy each time you visit the Website or the Riot Solution.