HYAS Infosec Inc. Privacy Statement (V2.01.2020)
1. WE CARE ABOUT YOUR PRIVACY
This Privacy Statement, which is made effective January 1, 2020, has been prepared by HYAS Infosec Inc. (“HYAS,” “we,” “us,” or “our”) and sets out the manner in which HYAS collects, uses, stores, transfers, discloses, manages and otherwise processes your personal information, including the data collected through our website (located at http://www.hyas.com; “Website”) and through other interactions.
Our visitors’ privacy is very important to us:
- The privacy and protection of the data that we hold is of the utmost importance.
- We have a duty of care to the people whose personal information we process.
- We only collect and process the data that we need – nothing more.
- We do not hold on to your personal information for longer than is needed.
- Except as provided in this Privacy Statement or as is agreed by you outside of this agreement, we will not sell, transfer or otherwise process the data that we collect from you.
- We will not cause your private personal information to become public (unless we are required to do so by law).
We ask that you read through this Privacy Statement, so that you may familiarize yourself with our privacy-related practices and policies.
2. RELEVANT LEGISLATION
Our Website, along with this Privacy Statement and our internal data policies, is intended to comply with the following pieces of legislation:
- EU General Data Protection Regulation 2018 (GDPR)
- California Consumer Privacy Act of 2018 (CCPA)
- Other applicable privacy laws
By complying with the above legislation, we and this Website should also be in compliance with the data protection and privacy requirements of many other countries and territories. However, if you have any concerns regarding our Website’s handling of data, please contact us per the contact information found below (see section 15: Contact Information & Data Protection Officer).
3. YOUR PERSONAL INFORMATION: WHAT WE COLLECT FROM YOU DIRECTLY & WHAT THIS DATA IS USED FOR
The term “personal information” generally means information about an identifiable individual. However, if you are a California consumer, it may also refer to a reasonably identifiable household. Examples of personal information include various identifiers, such as your name, physical address, phone number and email address. Personal information may additionally include certain data types that are capable of identifying you indirectly, including, for example, information related to your internet activity.
This section 3 describes the manner in which we collect personal information from you directly. This section additionally provides you with information concerning what we use your personal information for. For purposes of this Privacy Statement, we refer to the personal information that we collect from a source other than you as “Source Data”. Accordingly, for more information regarding our collection and use of Source Data, please refer to section 4 (Source Data: What We Collect & What This Data Is Used For), below. The only case in which we “sell” your personal information, as defined under the CCPA, occurs solely in the context of section 4. All other transfers of your personal information occur in the course of us and our service providers providing you with the products and services described in this section, and to the best of our knowledge, we do not collect or otherwise process, the personal information of minors under the age of 16.
The following are examples of situations where we may collect your personal information from you, directly – this may occur when you:
- Request HYAS content or schedule a demonstration on our Website;
- Participate in a security or informational webinar hosted or co-hosted by us;
- Enter into a contract with us, either directly or through your employer;
- Sign up to attend an event hosted or co-hosted by us;
- Sign up to receive promotional communications;
- Participate in our surveys or customer research;
- Apply for employment at HYAS or enter into a working relationship with HYAS;
- Contact us with a comment, question or complaint.
HYAS Content Requests and/or Scheduling of Demonstrations: You do not have to register to visit and browse certain features of our Website. However, to view HYAS content (for example: whitepapers and e-books) or to schedule a demonstration, you may be required to provide your name, certain business information, such as your title (i.e., your role with your employer), email address and physical address or regional location. You may additionally be asked for your contact preferences. More information on how this information is used, as well as to how you may manage your contact preferences to modify or opt out of such use, may be found in sub-section B of this section 3, below.
Entering into a Contract with HYAS: If you are or become, or the company through which you are employed is or becomes, our customer (via a separate contract for our products and/or services), or if we enter into negotiations concerning some other agreement, whether or not we enter into such agreement, then we may need to collect certain personal information from you to enable us to refine and process contractual terms, authorize your access to our products and/or services, and/or fulfill our contractual obligations to you or your employer, as applicable. Please refer to section 6 (Customer/Contractual Information), below, for further details in this respect.
Events. Whenever HYAS hosts or co-hosts an event, all co-hosts will be disclosed in the promotional materials for such event. As a condition of your participation, you may be asked to provide your consent to our and our co-hosts (each a “Co-Host” and collectively, the “Co-Hosts”) use and transfer, amongst one-another, of your personal information, to allow for the collective planning, promotion, facilitation and execution of the event and to enable each Co-Host to advertise and organize future events. Your voice and/or likeness may be captured at the event, and in some cases, you may be asked to provide your prior consent to the Co-Hosts’ use of such material for the Co-Hosts’ marketing and/or promotional purposes, as a condition of your participation. Other personal information that may be collected at or leading up to an event may vary. At minimum, we will ask for your name, company name, email address and phone number, and when asked to disclose such information, we will always clarify the purposes for which such information is being collected, will be disclosed and the Co-Hosts’ intended uses for such information; accordingly, in disclosing such information, you will have consented to the same. Subject to any other terms and conditions of your consent, any personal information that is gathered by a Co-Host before, at or after an event, including, for example, by way of an event-related survey, may additionally be used by any or all Co-Hosts to understand industry-wide pain points, enhance products and/or service offerings, or for the Co-Hosts’ general marketing purposes.
Promotions: When you participate in a promotion, we may collect your name, company name, email address, phone number, physical address and any other information that you may provide. We use this information to administer your participation in a contest or promotion. At the time that you enter the contest or promotion, we may ask for your consent so that we might send you future promotional communications.
Surveys and Customer Research: From time to time, we may offer you the opportunity to participate in one of our surveys or other customer research. The information obtained through our surveys and customer research is used in an aggregated, non-personally identifiable form. We use this information to help us understand our customers, to enhance our product and service offerings, promotions and events, and to assist in the selection of store locations.
HYAS Working Relationship: In connection with a job application or other inquiry regarding potential or actual employment with HYAS, you may provide us with certain personal information about yourself (such as that contained in a resume, cover letter, LinkedIn profile or in similar employment-related materials; for example: educational information, employment information and employment history). We use this information for the purpose of processing and responding to your application for current and future career opportunities. HYAS’ directors, officers, investors, employees, contractors and advisors may provide additional personal information, which HYAS may use for general human relations purposes, including, for example, to process equity and compensation, and to manage other matters that generally fall into the category of tasks that support of HYAS’ day-to-day operations. Such additional information may include professional and employment-related information, banking information as well as various formal and informal, internal and external communications (i.e., emails, web-conferences, personal messages, etc.).
Customer Service: When you contact us with a comment, question or complaint, you may be asked for information that identifies you (such as your name, company name, title, email, phone number and address), along with any additional information that we may need to help us promptly answer your question, verify your identification, or respond to your comment or complaint. We may retain this information to create a record of your request, assist you in the future, or improve our customer service, product and service offerings and events and promotions.
Should you choose to provide us with your contact information via one of the above methods or by some other means (for example: via a business card), we may ask that you consent to this Privacy Statement. You may also receive an email from us, within which we may request that you consent to future communications. You are not required to provide your consent, but if you elect not to provide us with your personal information or your consent to our use of such information for the purposes described herein, this may prevent us from delivering our products and/or services. You may retract your consent at any time, and for more information regarding how to manage your communications preferences or opt out of further communications entirely, please scroll down to sub-section B of this section 3, below.
Subject to your having withdrawn your consent, we rely on your consent in addition to any contract that is put into place between us (if applicable), as the legal basis under which we may process your personal information.
While this Website collects and uses your personal information for the foregoing reasons, none of the personal information or other data that you supply to us in accordance with this Section 3 is stored by our Website. Your personal information may be passed to, stored or otherwise processed by any of our third-party data processors, who are identified in section 7 (Our Third-Party Data Processors), below.
A. SITE VISITATION TRACKING
We use this data to understand how our Website is being used, for example:
- The number of people using it;
- The pages visitors visit;
- Where visitors enter the site;
- Where visitors come from;
- Where visitors exit; and
- The demographics of our visitors.
We consider Google to be a third-party data processor (please refer to the below section 7, Our Third-Party Data Processors, for further details):
- GA records data, such as: geographical location, device, internet browsers and operating system. It does not personally identify you to us. While GA also records your device’s IP address, which could be used to personally identify you, GA does not grant us access to this data.
- You can prevent the storage of data relating to your use of the Website and created via the cookie (including your IP address) by GA, as well as the processing of this data by GA, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en. You can also obtain additional information on GA’s collection and processing of data and data privacy and security at the following links: https://policies.google.com/technologies/partner-sites and https://support.google.com/analytics/topic/2919631.
B. CONTACT FORMS AND LINKS PROVIDED THROUGH OUR WEBSITE OR IN AN EMAIL
If you contact us via a contact form on our Website or if you click on a link that is embedded in an email that you receive from us, we may ask that you provide us with your personal information and consent to this Privacy Statement. You may also be asked to consent to further communications, and should you elect to provide such consent, you may manage your communications preferences (i.e., the types of communications that you wish to receive from us) or opt out of such communications entirely, at any time, by clicking on the link that may be found at the base of any email communication that was sent by us to you.
As mentioned above, while you are not required to provide us with your personal information, if you elect not to provide us with this information (or should you opt out of certain communications), we may not be able to deliver an answer to your inquiry or request, and this could prevent us from administering associated products and/or services. In addition to providing you with products and services, your personal information may be used by HYAS and HYAS’ third-party marketing, sales and services software provider, Hubspot (on HYAS’ behalf), for the purpose of managing HYAS’ communications and tracking your interest in our information and materials.
4. SOURCE DATA: WHAT WE COLLECT & WHAT THIS DATA IS USED FOR
Accordingly, this section 4 describes the manner in which we collect Source Data from our various data sources. Subject to you having effectively retracted your consent to, or opted out of, the re-sale of the portion of Source Data that contains your personal information, per the relevant data source’s online subscription terms and contract(s) or other agreement(s) that you may have entered into with such data source(s) or pursuant to some other legal basis available to HYAS under the circumstances, HYAS may receive, sell, transfer or otherwise use your personal information. Consequently, this section 4 is also meant to provide you with more information concerning how and why we process Source Data.
The Source Data that HYAS collects is restructured as it is received. It is then combined and supplemented with data that had been previously collected by HYAS, thus forming a separate and discrete data set that is proprietary to HYAS (“HYAS’ Data”). HYAS’ Data may then be transferred and sold to, for access by, HYAS’ customers via HYAS’ products and/or services.
As concerns California residents, the CCPA presently outlines the categories of personal information that are considered to be personal information under the CCPA (as of the date of this Privacy Statement, this information may be found under sub-section 140(o)(1) of Section 1798.140; this sub-section provides the definition for “personal information” that should be applied in interpreting the CCPA). For example, as part of the services that HYAS provides to its customers, HYAS may draw inferences and/or create profiles of potential threat actors, and inference data is considered to be personal information under the CCPA and other data protection laws.
The definition of “personal information” that is provided under the CCPA is similar, if not broader than, other data protection laws, and because our data set is considered to be our proprietary information, we must refrain from disclosing the specific categories that we collect. Accordingly, we ask that you assume that the Source Data that we receive may consist of any or all of the personal information that falls into the categories listed under the CCPA (though it may also include other information, which does not constitute personal information). Should you have any questions or concerns with respect to how we have categorized Source Data in this Privacy Statement, we suggest that you contact us, per section 15 (Contact Information and Data Protection Officer), below.
Those of HYAS’ products and services that contain HYAS’ Data are provided to our customers, subject to such products and/or services being utilized solely for the purposes of preventing, detecting and/or protecting against security incidents as well as malicious, deceptive, fraudulent or illegal activities, and in some cases, we and/or our customers may additionally become involved in, and use this data for, the pursuit and prosecution of those involved in such activities. HYAS customers’ rights in the processing of HYAS’ Data may be offered on a paid, unpaid or on a trial basis, and in all such cases, a customer’s (and their representatives’) use of HYAS’ Data is limited to these business purposes. Accordingly, our customers generally fall into one of two groups: (a) the security and/or threat intelligence teams of various businesses and government entities and (b) qualified law enforcement personnel.
5. ABOUT THIS WEBSITE’S SERVER
This Website is hosted on a server, which is provided by Dynamic Hosting, which is located in Canada.
The data centre has on-site staff and 24×7 security
Our server retains access logs, error logs, security logs and service logs to allow us to monitor service, in order to maintain this information and keep a level of security. These logs may store personal information in plain text on the platform. All logs are deleted after ninety (90) days.
Information, including personally identifiable information, that these logs may store includes:
- IP address;
- Request URL;
- Protocol; and
- Referrer paths.
Our Website and server are protected by a password, malware scanning, a managed firewall and brute force protection.
6. CUSTOMER/CONTRACTUAL INFORMATION
If you enter into contractual negotiations with us, including, for example, if you are or should you become our customer (by entering into an agreement for our provision to you or your employer of our products and/or services, under which agreement we have agreed to disclose, transfer and/or sell HYAS’ Data), then there will likely be certain details that we will need to obtain from you that will permit us to fulfil such contractual obligations or complete certain tasks, prior entering into such contract with you (e.g., providing a quote or performing due diligence). We will only ask for those details that concern your personal information that we need.
This may include:
- Your name;
- Your employer and job title;
- Your email address;
- Your personal home, work or cellular phone number;
- Your or your employer’s postal address; and/or
- Your Internet Protocol (IP) address (your connection IP), and
any details that you elect to supply to us may be stored and accessed by us, on HYAS-owned or approved devices.
In order for us to be able to communicate to our active and prospective customers in providing important product and service-related notices and alerts, the general opt out mechanisms communicated via this Privacy Statement shall not apply; instead, your options for adjusting your communications preferences and opting out shall be governed by the appropriate written agreement made between us and you (or the company that you work for). The communication management and opt-out mechanisms described in this Privacy Statement apply to advertising and marketing-related communications, only. As such, all commutations concerning the delivery of products and/or services will terminate at the end of the corresponding engagement.
7. OUR THIRD-PARTY DATA PROCESSORS
We use various third-party service providers to process personal data on our behalf. We only do this where it would be impractical for us to do otherwise. As such, we have carefully selected our service providers, each of which may be based in Canada, the European Union (EU) or the United States (US). We look for service providers who are compliant with the legislation set out in section 2, above.
- Microsoft (for Source Data storage and internal file storage, includes: Azure as well as Azure Compute and Blob Storage Services, Azure Functions and Office 365)
- Amazon (for Source Data file storage, includes: AWS Compute Services, Lambda Services and S3)
- Google (in support of internal operations, marketing and for Website management and analytics; includes use of: GSuite, Google Analytics, and Google Webmaster Tools)
- Dynamic Hosting (for hosting our cloud platform)
- Hubspot (for communications, including, without limitation: product updates and tracking consents to this and subsequent versions of our Privacy Statement, administration of password changes and maintenance of your contact information)
- Zendesk (for managing customer relations and service requests)
- Dropbox (for internal file storage)
- Zoom (for communications)
- Slack (for communications)
- Skype (for communications)
- GoToWebinar (for hosting webinars and videos)
- LinkedIn (for sales leads and human resource searches)
- DocuSign (for executing/distributing legal agreements and other documents)
We additionally have in place written agreements with a number of contractors who act on HYAS’ behalf in providing us with sales and marketing services as well as engineering support services. Further, in cases where there is a bonafide need for disclosure, we may provide your personal information to our legal advisors. The processing of your personal information as well as the processing of Source Data by our service providers is based on the complementary principals of role-based access and least privilege. All of our contractors who have access to your personal information are obligated to protect such information pursuant to written agreements that are no less protective than those set out in this Privacy Statement.
8. DISCLOSURE OF PERSONAL INFORMATION
We will not disclose, trade, rent, sell or otherwise transfer your personal information without your consent, except as set out herein.
Service Providers: We may transfer (or otherwise make available) your personal information to third parties who provide services on our behalf. For example, we may use service providers to send our emails and host our Website and operate certain of its features. These services are provided either in accordance with a written agreement or pursuant to the relevant service provider’s online standard privacy policies subscription agreement. Your personal information may be maintained and processed by third-party service providers in the US or other jurisdictions. Our service providers are given the information that they need to perform their designated functions, and we do not authorize them to use or disclose personal information for their own marketing or other purposes.
Partners: From time to time, we may partner with third parties to provide benefits to registered members of our Website. With your consent, we may exchange certain personal information with these third parties. We may also share aggregated, non-identifiable profile and usage data such parties for marketing and analytics purposes.
Business Transactions: We may transfer any information that you provide to us, in connection with a proposed or completed merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of HYAS or as part of a corporate reorganization or other change in corporate control.
Business Purposes: We may transfer, as necessary, your personal information, which was collected in conjunction with, or is reasonably necessary to enforce, contractual terms and conditions, or where such transfer is necessary to support or protect HYAS’ business operations and/or its users. HYAS may transfer HYAS’ Data in conjunction with our provision of our products and/or services to users, on a paid, an unpaid or on a trial basis.
Legal Requirements: HYAS and our service providers may provide your personal information in response to a search warrant or other legally valid inquiry or order, or to an organization in the case of a breach of an agreement or contravention of law, or as otherwise required or permitted by applicable law. We may also disclose personal information where necessary for the establishment, exercise or defense of legal claims, to detect, suppress or prevent fraud, and to investigate or prevent actual or suspected loss or harm to persons or property.
We have implemented reasonable administrative, technical and physical safeguards in an effort to protect against unauthorized access, use, modification and disclosure of personal information in our custody and control, including limiting access to our database to legitimate users and encrypting data at rest.
We have personal information retention processes designed to retain personal information for no longer than necessary for the purposes stated above or to otherwise meet legal requirements.
10. DATA BREACHES
We will report any unlawful data breach of this Website’s database and the database containing HYAS’ Data, or the database(s) of any of our third-party data processors (should we become aware of the same), to any and all relevant persons and authorities, as required by law.
11. DATA RETENTION
We pride ourselves on only storing the data we need. With that in mind, we conduct an (annual) data review of the information we hold and delete anything we no longer need, or which we have held for at least twelve (12) months, without usage.
We will only hold personal information for a longer period in order to fulfil our contractual or legal obligations.
12. DATA ERASURE REQUESTS, DATA SUBJECT ACCESS REQUESTS & OTHER RIGHTS THAT YOU MAY HAVE
You may access, update and correct inaccuracies in your personal information in our custody or control at any time, subject to limited exceptions prescribed by law. You may additionally request that we erase your data. In order to make a data erasure request or data subject access request (i.e. an access, correction or update request regarding your personal information), please contact our Data Protection Officer whose details are listed in section 15: (Contact Information & Data Protection Officer), below.
Subject to all terms and conditions contained within the CCPA, including, for example, any applicable limitations and exceptions, if you are a California “consumer” (as defined by the CCPA), you have the following additional rights:
- As concerns such of your personal data that has been collected by HYAS, the right to request that HYAS disclose:
- The categories of personal information we have collected about you, specifically;
- The categories of sources from which we have collected such information;
- Our business/commercial purposes for having collected such information; and
- The categories of third parties to whom we have shared your personal information.
- As concerns such of your personal data that has been sold by HYAS or disclosed by HYAS for a business purpose, the right to request that HYAS disclose, as applicable:
- The categories of personal information we have collected about you, specifically;
- The categories of your personal information, specifically, that we have sold;
- The categories of third parties to whom we have sold your personal information; and
- The categories of your personal information that we have disclosed for a business purpose.
- As concerns such of your personal information that we had collected directly from you, the right to request that we delete your personal information from our records (and accordingly, that we direct that such records additionally be deleted from our service providers’ records).
In making such requests, we may request certain personal information for the purposes of verifying the identity of the individual seeking access to, or the disclosure, correction or deletion of, their personal information records. For example, we may request that you send us an email from the email address that you have on file with us or if you are a paying customer, submit a support ticket, using your account. Subject to our obligations under applicable privacy laws, should we be unable to verify your identity, we may deny such request(s).
As noted above, HYAS does not “sell” (as defined by the CCPA) your personal information where that information is collected by us, from you directly. However, as concerns our sale of HYAS’ Data, if you are a California consumer and believe that this data may contain your personal information, you have the right to opt out of our sale of that portion of HYAS’ Data that contains your personal information. We are currently working on a webform to facilitate the processing of such request; in the meantime, we ask that you please direct all such requests, via email, to our Data Protection Officer (whose contact information may be found in section 15, below), and to help us confirm and process such request, please additionally provide us with your name and regional location.
Should you, as a California consumer, elect to exercise your rights under this section 12 and if we are reasonably able to provide the requested goods and/or services without the requested personal information, we will not discriminate against you by denying such goods or services, charging different prices or rates for goods or services (including through discounts or penalties), providing a different level of quality or services, or suggesting the foregoing, in response to your decision.
13. CHANGES TO THIS PRIVACY STATEMENT
This Privacy Statement may be updated periodically to reflect changes to our personal information practices. The current version of this Privacy Statement will be posted on our Website. For the latest information about our personal information practices, we strongly encourage you to refer to this Privacy Statement often.
14. DATA CONTROLLER: DATA COLLECTED DIRECTLY FROM YOU & HYAS’ DATA
HYAS Infosec Inc. is the controller of such of your personal information as we have collected from you directly as well as HYAS’ Data (defined in section 3, above). For more information concerning what is HYAS’ Data and how it is derived, used and otherwise processed, please read section 4 of this Privacy Statement.
We are a Canadian company, and our registered office is located at the following address:
500-3 Fan Tan Alley
Victoria, British Columbia V8W 3G9
15. CONTACT INFORMATION & DATA PROTECTION OFFICER
Please direct all inquiries, concerns and requests relating to HYAS’ data processing practices or this Privacy Statement to DPO@hyas.com, which email is monitored by our internal data protection officer (DPO).
Privacy Statement-related communications may also be sent to our registered office (per section 14, above), Attention: Data Protection Officer, or you may direct such communications by calling the following toll-free number: (877) 572-6446.