Last Updated:January 21 2019
This Policy does not apply to, and TruSTAR is not responsible for: (i) the practices of any other companies or individuals, or (ii) any third-party websites, platforms, devices, applications or services that you access via links from TruSTAR’s website or web applications (“Third Party Services”). We encourage you to review the privacy policies of any Third Party Services that you access.
What information we collect, and how we collect it:
TruSTAR Website. Browsing information (e.g. browser information, IP addresses) of visitors to the TruSTAR public website (the “Website”) is recorded using cookies (see “Cookies” below) and website logs.
Web application registration and use. Upon customer registration, the TruSTAR web application (the “Application”) collects customer account information (e.g. name, email address, organization, payment information). In addition, we collect general browsing data regarding use of the Application in the same manner as for the Website.
Customer-submitted incident and threat data. TruSTAR customers can use the Application to submit application-wide (i.e. available to all users of the platform) and enclave-specific (i.e. limited to a specified user group) security incident and threat information, which may contain personal data, including the name, IP address, email address and other information associated with security incidents and threats.
How we use the information we collect:
Threat analysis. TruSTAR uses data in the Application for analysis and reporting of network security threats, to provide services including threat insights, threat notifications, threat analysis and threat management guidance.
Threat analysis (profiling and automated decision making). The threat and incident data we collect is used to build profiles of individuals and entities on the Internet who may pose security threats (and of those who do not pose security threats). Our customers may use these profiles to deny access to services and resources to likely malicious actors. Our service is designed to make such automated decision making as targeted as possible, so that any denial of access is limited to that necessary to protect network and data security.
Customer administration. TruSTAR uses customer account information to communicate with customers regarding the Application and TruSTAR services, including for billing and account management features.
Analytics. TruSTAR uses browsing information collected via the Website and Application to analyze user behavior and improve the functions of the Website and Application.
Information on TruSTAR services. TruSTAR uses customer personal data provided via the Website and Application to communicate with visitors about TruSTAR offerings and products.
How we share information:
TruSTAR shares personal data with certain third parties as described below, and take responsibility for such sharing as provided in this Policy and applicable law.
Threat analysis. TruSTAR shares customer-submitted personal data related to security incidents and threats via the Application with other customers. Customers can use and process data in the Application to facilitate security analysis through incident exchange, collaboration, and threat analysis and visualization.
Threat analysis (profiling and automated decision making). TruSTAR shares profiles of individuals via the Application with customers, who use these profiles to deny access to services and resources to likely malicious actors. Our service is designed to make such automated decision making as targeted as possible, so that any denial of access is limited to that necessary to protect network and data security.
Website analytics. TruSTAR shares browsing information collected from the Website and Application with third-party analytics vendors to analyze user behavior and improve the functions of the Website and Application. TruSTAR does not sell personal data obtained from the Website.
Legal matters. TruSTAR may disclose personal data as required by law, including to meet national security or law enforcement requirements, or if in our judgment it is necessary to protect TruSTAR, our employees, or users from harm, loss, or liability.
Merger or acquisition. If TruSTAR were to merge with or be acquired by another company, or TruSTAR sells substantially all of its assets, the acquirer or resulting company will receive and may continue to use personal data described in this Policy.
Access to, correction, and deletion of personal data:
You may request access to, correction or deletion of your personal data held by TruSTAR by contacting the TruSTAR Chief Privacy officer at firstname.lastname@example.org. TruSTAR may not delete personal data where the data subject facilitated criminal conduct or conducted malicious attacks.
EU customers of TruSTAR have certain rights to restriction of data processing and data portability to other service providers.
Opting out from marketing communications:
You may opt out of marketing communications regarding TruSTAR products and services (other than important service- and security-related messages), by managing communications preferences on the Application or by accessing the unsubscribe link within TruSTAR marketing communications.
Retention of personal data:
Customer account information collected from the TruSTAR web application is stored as long as the customer is a member of the platform. TruSTAR deletes customer account information if a customer’s account is closed, although the information may continue to persist in TruSTAR’s backups for up to 90 days.
Customer-submitted enclave-specific incident and threat data is available in the TruSTAR web application as long as the customer’s organization is a member of the platform. TruSTAR deletes enclave-specific information if an organization’s account is closed, although the information may continue to persist in TruSTAR’s backups for up to 90 days.
Customer-submitted application-wide incident and threat data is shared in perpetuity with customers of the platform in order to support our core threat management services. This information is not automatically removed when a customer organization closes its account.
Personal data obtained from the Website, including analytics and visitor-submitted personal data, are stored for a maximum of two years, and thereafter are retained only in aggregated and anonymized form.
TruSTAR uses technological and organizational measures to protect personal and other data from unauthorized disclosure, alteration, or destruction. However, data security presents many risks, and TruSTAR cannot guarantee that information will be 100% secure. TruSTAR relies on customers to select secure passwords, to protect those passwords, and to use appropriate security software on their devices. Please contact TruSTAR with any information regarding unauthorized use of the TruSTAR website or web application.
Transfer to United States; EU compliance:
Changes to this Policy:
From time to time, TruSTAR may revise this Policy to reflect changes in the law, changes in TruSTAR’s products, or for other reasons. Updated copies of this Policy will be posted on the Website. If TruSTAR makes material changes to the Policy, TruSTAR will email a copy of the updated policy to customers and Website visitors that provided TruSTAR with their contact information.
Contact information and your rights:
If you have inquiries or complaints about your personal data, you should first contact TruSTAR at email@example.com. If we receive a written complaint, TruSTAR will contact the person who made the complaint to follow up.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
TruSTAR also works with the appropriate regulatory authorities to resolve any complaints regarding personal data that we cannot resolve with our users directly. TruSTAR is regulated by the US Federal Trade Commission. If you are a EU/EEA customer of TruSTAR, you may also have the right to complain to the data protection authorities in your country, and, under certain conditions, to invoke binding arbitration.