🔥 Subscribe to Our Monthly Security Digest Newsletter
🔥 Subscribe to Our Monthly Security Digest Newsletter
Effective as of February 19, 2024, Security Compass and its affiliates (collectively, the “Security Compass Group” or “we” or “us” or “our”) have updated our Privacy Policy. Your privacy is important to us. It is Security Compass’ policy to respect your privacy regarding any information we may collect from you through our website, https://www.securitycompass.com, through other sites we own and operate, and through the products and services we provide. This policy (together with our terms of service and any other documents referred to in it) sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed.
Compliance with Privacy Laws. At Security Compass, the security of your data isn’t an afterthought. We have prioritized the security of customer data long before it was legally required. Our approach has been anchored with a strong commitment to privacy, security, compliance and transparency.
This approach includes supporting our customers’ compliance with various regulatory frameworks, including The Personal Information Protection and Electronic Documents Act (PIPEDA) which received Royal Assent on April 13, 2000 and the consequential amendments , The Data Protection Act, 2018 which became enforceable May 25, 2018, The EU data protection requirements set out in the General Data Protection Regulation (“GDPR”), which became enforceable on May 25, 2018, and the California Consumer Privacy Act (“CCPA”) which came into effect January 01, 2020 and other applicable relevant regulatory frameworks. Where a company collects, transmits, hosts or analyzes personal information of EU data subjects, GDPR requires the company to process such data only in a way which guarantees the technical and organizational safeguards mandated by the GDPR.
Understanding the Key Concepts
What is ‘Personal Information’? ‘Personal Information’ means any information relating to an identified or identifiable natural person. The personal information we collect is explicitly stated below.
What is ‘Processing’ of personal information? This can include a large number of actions. In simplified terms, processing your personal information means any operation performed on your personal information regardless of the method or means we use. You can see how we process your data below under ‘What we use your information for’.
What information do we collect? We may collect and process the following data about you:
(i) Personal information We may ask for personal information, such as your:
This data is considered “identifying information”, as it can be used to personally identify you. We only request personal information relevant to providing you with a service, and only use it to help provide or improve this service. If you consent to receiving communications about our products and services, we may use your personal information to send you product and industry related news and updates. We only send out communications where we are legally allowed to do so.
(ii) Log data When you visit our website, our servers may automatically log the standard data provided by your web browser. This data is considered “non-identifying information”, as it does not personally identify you on its own. It may however include your computer’s Internet Protocol (IP) address, your browser type and version, the pages you visit, the time and date of your visit, the time spent on each page, and other non-identifying details. We may also collect data about the device you are using to access our website. This data may include the device type, operating system, unique device identifiers, device settings, and geo-location data. What we collect can depend on the individual settings of your device and software. We recommend checking the policies of your device manufacturer or software provider to learn what information they make available to us. It is important to note that this is not an exhaustive list, and the types of personal information that can be collected and processed will vary depending on the specific context.
If you provide us with the personal information of another individual, you represent and warrant that you have the authority to do so, including where applicable that you have obtained the necessary consent of the other person for us to collect, use and/or disclose their personal information.
How we collect the information. We collect information by fair and lawful means, with your knowledge and consent. We only process your data when we have a lawful reason for doing so. We also let you know why we’re collecting it and how it will be used. You are free to refuse our request for this information, with the understanding that we may be unable to provide you with some of your desired services without it.
What we use the information for. We may use a combination of identifying and non-identifying information to understand who our visitors and customers are, how they use our services, and how we may improve their experience of our services in the future. We do not disclose the specifics of this information publicly but may share aggregated and anonymized versions of this information, for example, in website and customer usage trend reports. We may use your personal details to contact you with updates about our website and services, along with promotional content that we believe may be of interest to you. We may contact you via phone, email, social media, or conventional mail. If you wish to opt out of receiving promotional content, you can follow the “unsubscribe” instructions provided alongside any promotional correspondence from us.
Other uses of Personal Information may include:
Where we store the information. The personal information we collect is stored and processed where we or our partners, affiliates and third-party providers maintain facilities. We implement data protection safeguards and we only retain personal information for as long as necessary to provide a service, or to improve our services in future. In most cases, we delete personal information after a period of 2 years and 3 months if we have not received any communication, opt-in notification, or other form of consent from the contact. While we retain this data, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. That said, we advise that no method of electronic transmission or storage is 100% secure and cannot guarantee absolute data security. If you request your personal information be deleted, or where your personal information becomes no longer relevant to our operations, we will erase it from our system within a reasonable timeframe.
Who is the data processor? Any personal information processed by Security Compass in connection with this Privacy Policy is controlled by Security Compass Group which is considered the “data controller” of your personal information under the relevant and applicable data protection laws.
Who are our sub-processors? Security Compass maintains an up-to-date list of the sub-processors used for hosting, or other processing of data in the product specific privacy policies. See below:
How we protect your information. Security Compass employs the following safeguards to ensure the security your data:
Cookies: We use “cookies” to collect information about you and your activity across our site. A cookie is a small piece of data that our website stores on your computer, and accesses each time you visit, so we can understand how you use our site. This helps us serve you content based on preferences you have specified. Please refer to our Cookie Policy for more information.
Which third parties have access to your information? We use third-party services for:
These third-party service providers may only access your data for the sole purpose of performing specific tasks on behalf of Security Compass. We do not share any personally identifying information with them without your consent. We do not give them permission to disclose or use any of your data for any other purpose. We may, from time to time, allow limited access to our data by external consultants and agencies for the purpose of analysis and service improvement. This access is only permitted for as long as necessary to perform a specific function. We will refuse government and law enforcement requests for data if we believe a request is too broad or unrelated to its stated purpose. However, we may cooperate if we believe the requested information is necessary and appropriate to comply with legal process, to protect our own rights and property, to protect the safety of the public and any person, to prevent a crime, or to prevent what we reasonably believe to be illegal, legally actionable, or unethical activity. We do not otherwise share or supply personal information to third parties. We do not sell or rent your personal information to marketers or third parties.
Children’s Privacy: This website does not knowingly target children or collect personal information from children. As a parent/guardian, please contact us if you believe your child is participating in an activity involving personal information on our website, where you have not consented to the collection of such data. We do not use your supplied contact details for marketing or promotional purposes.
Limits of our policy: This privacy policy only covers Security Compass’ own collecting and handling of data. We cannot accept responsibility or liability for their respective privacy practices. Our website may link to external sites that are not operated by us. Please be aware that we have no control over the content and policies of those sites and cannot accept responsibility or liability for their respective privacy practices.
Your rights and responsibilities: As our user, you have the right to be informed about how your data is collected and used. You are entitled to know what data we collect about you, and how it is processed. You are entitled to correct and update any personal information about you, and to request this information be deleted. You may amend or remove your account information at any time, using the tools provided in your account control panel. You are entitled to restrict or object to our use of your data, while retaining the right to use your personal information for your own purposes. You have the right to opt out of data about you being used in decisions based solely on automated processing.
How do I exercise my privacy rights? To ensure we honor your rights, you may contact us and submit a verifiable request in regard to the following: Where you have previously agreed to us using your personal information for direct marketing purposes, and you wish to withdraw your consent (this may also be done through the unsubscribe function in an email received from us). You may request access to your information, or to have your information changed or removed. Requests will be handled as soon as reasonably possible, but in all cases within 30 days. If you believe the information we hold about you is incorrect, or your personal information is being processed unlawfully, you may contact us to have this rectified.
Your California Privacy Rights
Security Compass does not sell or share personal information collected through our website with third parties for commercial purposes or monetary gain, and therefore do not offer an opt out of sale link on our homepage for CCPA purposes.
Consumers will not be discriminated against for exercising their privacy rights. For more information on how to exercise your California consumer privacy rights, see the section of this privacy policy ‘How do I exercise my privacy rights?’.
Changes to our Privacy Policy This privacy policy was last updated on February 19, 2024. At our discretion, we may change our privacy policy to reflect current acceptable practices. We will take reasonable steps to let users know about changes via our website. If you are a registered user on https://www.securitycompass.com, we will notify you using the contact details saved in your account. Your continued use of this site after any changes to this policy will be regarded as acceptance of our practices around privacy and personal information.
Does Security Compass have a Data Protection Officer (DPO)?
Yes, Security Compass has a dedicated Data Protection Officer/Privacy Officer and you can request for the contact details by emailing [email protected].
We use cookies to help improve your experience of https://www.securitycompass.com.
This cookie policy is part of Security Compass’ privacy policy and covers the use of cookies between your device and our site. We also provide basic information on third-party services we may use, who may also use cookies as part of their service, though they are not covered by our policy. If you don’t wish to accept cookies from us, you should instruct your browser to refuse cookies from https://www.securitycompass.com, with the understanding that we may be unable to provide you with some of your desired content and services.
What is a cookie? A cookie is a small piece of data that a website stores on your device when you visit, typically containing information about the website itself, a unique identifier that allows the site to recognise your web browser when you return, additional data that serves the purpose of the cookie, and the lifespan of the cookie itself. Cookies are used to enable certain features (eg. logging in), to track site usage (eg. analytics), to store your user settings (eg. timezone, notification preferences), and to personalise your content (eg. advertising, language). Cookies set by the website you are visiting are normally referred to as “first-party cookies”, and typically only track your activity on that particular site. Cookies set by other sites and companies (ie. third parties) are called “third-party cookies”, and can be used to track you on other websites that use the same third-party service.
Types of cookies and how we use them
Essential cookies – Essential cookies are crucial to your experience of a website, enabling core features like user logins, account management, shopping carts and payment processing. We do not use this type of cookie on our site.
Performance cookies – Performance cookies are used in the tracking of how you use a website during your visit, without collecting personal information about you. Typically, this information is anonymous and aggregated with information tracked across all site users, to help companies understand visitor usage patterns, identify and diagnose problems or errors their users may encounter, and make better strategic decisions in improving their audience’s overall website experience. These cookies may be set by the website you’re visiting (first-party) or by third-party services. We use performance cookies on our site.
Functionality cookies – Functionality cookies are used in collecting information about your device and any settings you may configure on the website you’re visiting (like language and timezone settings). With this information, websites can provide you with customised, enhanced or optimised content and services. These cookies may be set by the website you’re visiting (first-party) or by third-party service. We use functionality cookies for selected features on our site.
Targeting/advertising cookies – Targeting/advertising cookies are used in determining what promotional content is more relevant and appropriate to you and your interests. Websites may use them to deliver targeted advertising or to limit the number of times you see an advertisement. This helps companies improve the effectiveness of their campaigns and the quality of content presented to you. These cookies may be set by the website you’re visiting (first-party) or by third-party services. Targeting/advertising cookies set by third-parties may be used to track you on other websites that use the same third-party service. We use targeting/advertising cookies on our site.
Third-party cookies on our site – We may employ third-party companies and individuals on our websites—for example, analytics providers and content partners. We grant these third parties access to selected information to perform specific tasks on our behalf. They may also set third-party cookies in order to deliver the services they are providing. Third-party cookies can be used to track you on other websites that use the same third-party service. As we have no control over third-party cookies, they are not covered by Security Compass’ cookie policy.
How you can control or opt out of cookies– If you do not wish to accept cookies from us, you can instruct your browser to refuse cookies from our website. Most browsers are configured to accept cookies by default, but you can update these settings to either refuse cookies altogether, or to notify you when a website is trying to set or update a cookie. If you browse websites from multiple devices, you may need to update your settings on each individual device. Although some cookies can be blocked with little impact on your experience of a website, blocking all cookies may mean you are unable to access certain features and content across the sites you visit.
Important information about SD Elements
The SD Elements Privacy Policy contains information about the privacy practices surrounding how we (Security Compass) collect and manage information relating to users who use our product, SD Elements.
What is SD Elements?
SD Elements is a web application created by Security Compass which helps companies write secure software by providing guidance on best practices in secure software development and by integrating with software tools that are used to develop software.
Examples of such tools are:
Who controls and manages my access to SD Elements?
A license to SD Elements is purchased by your company, who then manages your access to the features and projects that are set up by your company in SD Elements. Security Compass does not directly view your data except for the purposes of helping your company get up and running with the software, and for helping to resolve issues where they arise when we’re working in partnership with your company to optimize SD Elements for its unique environment.
Where is SD Elements hosted?
Depending on your company’s security requirements, they may choose to host in one of two ways:
What information is collected when you use SD Elements?
Information collected is restricted to:
We also use cookies to help you manage your access to SD Elements.
Why is this information collected?
Use of Name and Email Address: We use your name and email address for the following reasons:
The types of activities we record in the activity log include:
Use of IP Address: We record the IP address you use when you sign into SD Elements so that we are able to audit and troubleshoot in the event you run into technical issues accessing specific features of SD Elements.
Contractual Obligations: We capture and process this information as part of a contractual arrangement with your company to enable SD Elements to help your company write secure software.
Can my personal information be shared with any other systems? Depending on how your company chooses to configure SD Elements, they may use it in conjunction with other tools such as code analysis tools and Issue Tracking Systems. In this case, information about your activities in SD Elements may be shared with these tools and your activities in these tools may be shared with SD Elements. Your company may also use the SD Elements platform to take data about your activities in SD Elements and share them with another tool in use at your company.
Does SD Elements use machine learning to track my activity and predict my behavior?
SD Elements does not use automated machine learning to either track your behavior or predict your activities.
Will my information leave the country I’m located in?
If your company’s version of SD Elements is hosted in the cloud, your information may be transferred across multiple locations. This is possible if the hosting provider that hosts SD Elements creates a server in another location for the purposes of improving performance or ensuring SD Elements is regularly available for your company to use. Normally, Security Compass remains neutral about where SD Elements in the cloud is physically hosted. However, your company may contractually require that SD Elements be hosted in a specific country.
If my information is transferred to another location, will it be secure? SD Elements is a secure, encrypted web application that protects your information regardless of where SD Elements is hosted.
How long is my information retained?
For the purpose of enabling your company to conform to compliance and audit regulations, we retain your information for as long as your company licenses SD Elements. Please note: Your information will not be deleted in the event that you leave the company while SD Elements is still being used by this company. If your company stops being an SD Elements customer, the information will be securely removed from our servers and backed up in an encrypted backup file for a period of at least six months. This information is stored in case your company wishes to retrieve it for audit purposes or restart their SD Elements license at a later time.
Who are the Sub-processors used for SD Elements?
Name of Sub-processor | Address of Sub-processor | Services/Sub-processing provided |
Amazon Web Services | 410 Terry Avenue North Seattle, WA 98109 | Host provider for SaaS based SD Elements customers |
Salesforce Service Cloud & Experience Cloud | Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105 | Service Cloud is the customer support ticketing software used by the support team. Experience Cloud is an experience portal for customers. |
Important information about eLearning
The eLearning Privacy Policy contains information about the privacy practices surrounding how we (Security Compass) collect and manage information relating to users who use our eLearning product.
What is Security Compass eLearning?
eLearning is a training mechanism created by Security Compass which teaches students the fundamentals of software security through a collection of modules and suites. Examples of such training suites are:
Who controls and manages my access to eLearning?
A license to eLearning may be purchased directly by you, or by your company on your behalf. When your company purchases the license, your company manages your access to the courseware. Security Compass does not directly view your data except for the purposes of helping your company with the software implementation, and for helping to resolve issues where they arise when we’re working in partnership with your company to optimize eLearning for its unique environment.
Where is eLearning hosted?
Depending on your company’s security requirements, they may choose to host in one of two ways:
What information is collected when you use eLearning?
Information collected is restricted to:
We also use cookies to help you manage your access to eLearning.
Why is this information collected?
Use of Name and Email Address: We use your name and email address for the following reasons:
Use of IP Address.
We record the IP address you use when you sign into eLearning so that we are able to audit and troubleshoot in the event you run into technical issues accessing specific features of the LMS.
Can my personal information be shared with any other systems?
Your company may also use the eLearning platform to access and obtain data about your activities (such as test results) and share them with another tool in use at your company. Security Compass does not share your information with any third party system.
Does eLearning use machine learning to track my activity and predict my behavior?
eLearning does not use automated machine learning to either track your behavior or predict your activities.
Will my information leave the country I’m located in?
If your company’s version of eLearning is hosted in the cloud, your information may be transferred across multiple locations. This is possible if the hosting provider that hosts the LMS creates a server in another location for the purposes of improving performance or ensuring eLearning is regularly available for your company to use. Normally, Security Compass remains neutral about where eLearning in the cloud is physically hosted. However, your company may contractually require that your data be hosted in a specific country.
How long is my information retained?
For the purpose of enabling your company to conform to compliance and audit regulations, we retain your information for as long as your company licenses eLearning. Please note: Your information will not be deleted in the event that you leave the company while eLearning is still being used by this company, unless you or your company request its removal. If your company stops being an eLearning customer, the information will be securely removed from our servers and backed up in an encrypted backup file for a period of at least six months. This information is stored in case your company wishes to retrieve it for audit purposes or restart their eLearning license at a later time.
Who are the sub-processors used for eLearning?
Name of Sub-processor: Docebo
Address of Sub-processor: Via Parco 47, 20853 Biassono (MB) Italy
Services/Sub-processing provided: Host provider for SaaS based SD Elements customers
Name of Sub-processor: Salesforce Service Cloud & Experience Cloud
Address of Sub-processor: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105
Services/Sub-processing provided: Service Cloud is the customer support ticketing software used by the support team. Experience Cloud is an experience portal for customers.
The Kontra Privacy Policy contains information about the privacy practices surrounding how we (Security Compass) collect and manage information relating to users who use or access our application security training product – Kontra.
What is Security Compass Kontra?
Kontra is a training mechanism owned by Security Compass which teaches students application security training and software security education through interactive learning.
Examples of such training courses are:
Who controls and manages my access to Kontra?
A license to Kontra courses may be purchased directly by you, or by your company on your behalf. When your company purchases the license, your company manages your access to the courseware. Security Compass does not directly view your data except for the purposes of helping your company with the software implementation, and for helping to resolve issues where they arise when we’re working in partnership with your company to optimize Kontra for its unique environment.
Where is Kontra hosted?
Depending on your company’s security requirements, they may choose to host in one of two ways:
What information is collected when you use Kontra?
Security Compass does not actively collect any personal information when Kontra runs on your company’s or a third party’s learning management system, however, some learning management systems may automatically send personal information to us. The ability to receive this personal information is entirely based on your company’s (or third party’s) learning management system’s configuration. In this case, Information collected is restricted to:
We also use cookies to help you manage your access to Kontra courses.
Please note that the information provided is simply logged and your company is at liberty to configure its learning management system to not forward this information to us.
In the event Kontra is hosted in the cloud, we will retain the following information:
Why is this information collected?
Use of Name and Email Address: We use your name and email address for the following reasons:
Use of IP Address.
We record the IP address and save it in the apache logs as part of a standard HTTP request.
Can my personal information be shared with any other systems?
Your company may also use the Kontra platform to access and obtain data about your activities and share them with another tool in use at your company. Security Compass does not share your information with any third party system.
Does Kontra use machine learning to track my activity and predict my behavior?
Kontra does not use automated machine learning to either track your behavior or predict your activities.
Will my information leave the country I’m located in?
If your company’s version of Kontra is hosted in the cloud, your information may be transferred across multiple locations. This is possible if the hosting provider that hosts the LMS creates a server in another location for the purposes of improving performance or ensuring eLearning is regularly available for your company to use. Normally, Security Compass remains neutral about where Kontra in the cloud is physically hosted. However, your company may contractually require that your data be hosted in a specific country.
How long is my information retained?
For the purpose of enabling your company to conform to compliance and audit regulations, we retain your information for as long as your company licenses Kontra. Please note: Your information will not be deleted in the event that you leave the company while Kontra is still being used by this company, unless you or your company request its removal. If your company stops being a Kontra customer, the information will be securely removed from our servers and backed up in an encrypted backup file for a period of at least six months. This information is stored in case your company wishes to retrieve it for audit purposes or restart their Kontra license at a later time.
Who are the sub-processors used for Kontra?
Name of Sub-processor: Sendgrid
Address of Sub-processor: 1801 California Street, Suite 500, Denver, CO 80202
Services/Sub-processing provided: This is a third party service used to send signup emails, invitation emails and forgotten password emails.
Name of Sub-processor: Amazon Web Services
Address of Sub-processor: 410 Terry Avenue North Seattle, WA 98109
Services/Sub-processing provided: Host provider for SaaS based Kontra customers
Who do I contact if I require more clarity about the Security Compass’ Privacy Policy?
For more information about Security Compass’ Privacy Policy, you can contact us through:
Write:Security Compass Technologies Ltd.
Attn: Legal Department
325 Front St W Unit 103,
Toronto, ON M5V 2Y1
Phone: 1.888.777.2211
Email: [email protected]