Effective Date: August 13, 2018
This Policy is intended to meet requirements globally, including those in North America, Europe, APAC, and other jurisdictions. This Policy does not apply to information we collect by other means (including offline) or from other sources.
WhiteHat complies with the requirements of the EU-U.S. Privacy Shield Framework (“Privacy Shield”), as set forth by the U.S. Department of Commerce and the Federal Trade Commission (“FTC”), regarding the collection, use, and retention of Personal Information transferred from the European Economic Area to the United States. WhiteHat has certified to the Department of Commerce that it adheres to the Privacy Shield Principles and Supplemental Principles. If there is any conflict between the terms in this Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view WhiteHat’s certification, please visit https://www.privacyshield.gov. Additionally, WhiteHat may protect information through other legally valid methods, including international data transfer agreements.
This Policy applies to all of WhiteHat’s operating divisions, subsidiaries, affiliates, and branches, including its U.S. affiliates certified under the Privacy Shield and any additional subsidiary, affiliate, or branch of WhiteHat that we may subsequently form.
2. INFORMATION WE MAY GATHER FROM YOU
The types of Personal Information we may collect (directly from you or from third-party sources) and our privacy practices depend on the nature of the relationship you have with WhiteHat and the requirements of applicable law. Some of the ways that WhiteHat may collect Personal Information include:
2.1 Information You Provide Directly to Us
Inquiries and Requests – We may provide you with the opportunity to contact us via e-mail or chat to ask questions, request information and materials, register or sign up for guides, seminars, or training classes, or provide comments and suggestions. You may also be offered the opportunity to have one of our representatives contact you personally to provide additional information about our Services. To facilitate this request, we may request additional Personal Information from you, such as your name, telephone number, and other contact information, to help us satisfy your request.
Service Enrollment – If you choose to enroll for one of our Services, we may require, without limitation, your name, address (including country, city and state), telephone number, e-mail address, bank account information, IP address, IP range, domain name(s), or Web Application URL(s). The types of information required to fulfill a service request depend on the types of Services being requested.
Statistical Information about Your Visit – We may collect certain information automatically through our Services or other methods of web analysis, such as your Internet protocol (IP) address, cookie identifiers, mobile advertising identifiers, and other device identifiers that are automatically assigned to your computer or device when you access the Internet, browser type, operating system, Internet service provider, pages that you visit before and after using the Services, the date and time of your visit, the amount of time you spend on each page, information about the links you click and pages you view within the Services, and other actions taken through use of the Services such as preferences.
Human Resources Data – WhiteHat collects Personal Information from current, prospective, and former Employees, their contact points in case of a medical emergency, and beneficiaries under any insurance policy (“Human Resources Data”). The Human Resources Data we collect may include title, name, address, phone number, email address, date of birth, passport number, driver’s license number, Social Security number or other government-issued identification number, financial information related to credit checks, bank details for payroll, information that may be recorded on a CV or application form, language abilities, contact information of third parties in case of an emergency, and beneficiaries under any insurance policy.
We may also collect Sensitive Human Resources Data such as the need for a leave of absence due to a disability, including mental health, medical leave, and maternity leave; information about national origin or immigration status; and optional demographic information such as race, which helps us achieve our diversity goals. We acquire, hold, use, and process Human Resources-related Personal Information for a variety of business purposes that may include, but are not limited to the following:
• Workflow management, including assigning, managing and administering projects;
• Human Resources administration and communication;
• Payroll and the provision of benefits;
• Compensation, including bonuses and long-term incentive administration, stock plan administration, compensation analysis, including monitoring overtime and compliance with labor laws, and company recognition programs;
• Job grading activities;
• Performance and employee development management;
• Organizational development and succession planning;
• Benefits and personnel administration;
• Absence management;
• Helpdesk and IT support services;
• Regulatory compliance;
• Internal and/or external or governmental compliance investigations;
• Internal or external audits;
• Litigation evaluation, prosecution, and defense;
• Diversity and inclusion initiatives;
• Restructuring and relocation;
• Emergency contacts and services;
• Employee safety;
• Compliance with statutory requirements;
• Processing of Employee expenses and travel charges; and
• Acquisitions, divestitures, and integrations.
Surveys: From time to time we may request information from customers via surveys. Participation in these surveys is completely voluntary and the user therefore has a choice whether or not to disclose this information. Survey information will be used for improving our customer service and service offerings
2.2 Information from Other Sources.
We may receive information about you from other sources, including through Third-Party services and organizations to supplement information provided by you. This supplemental information allows us to verify information that you have provided to WhiteHat and to enhance our ability to provide you with information about our business, products, and Services.
2.3 Cookies, Pixel Tags/Web Beacons, Analytics Information, and Interest-Based Advertising
3. HOW WE USE YOUR INFORMATION
3.1 Business Information
Generally, we use the Personal Information we receive to:
• Provide the Services, respond to inquiries or send you administrative messages regarding the operation and use of the Services;
• Personalize and improve the Services;
• Monitor and analyze usage and trends of the Services;
• Send communications related to the Services;
• Provide you with relevant advertisements;
• Process any transactions initiated by you;
• For any other purpose for which the information was collected;
• To meet our legal obligations, for example:
• For audit and reporting purposes;
• To perform accounting and administrative tasks;
• To respond to requests for information by competent public bodies and judicial authorities;
• To respond to inquiries we receive from you or your company or organization;
• To enforce or manage legal claims;
• To deliver advertising and promotional and other communications, including periodically contacting you with offers and information about our products, services, features, and events and sending you newsletters or other information about topics that we believe may be of interest; conducting online surveys; and otherwise promoting our products, services, features, and events; and
• To deliver targeted advertisements to you, both on and off the Services, including by using cookies, web beacons, and other Internet technologies, as explained in this Policy.
3.2 Human resources information
With regard to Personal Information we receive in connection with the employment relationship:
• we will use such Personal Information only for employment-related purposes as more fully described in this Policy; and
• if we intend to use this Personal Information for any other purpose, we will provide the individual with an opportunity to opt out of such uses.
3.3 Additional uses aligned with our Legitimate interests
In addition, we may use your Personal Information for the following purposes for which we have a legitimate interest:
• Direct marketing
• Processing for research purposes (including marketing research)
• Disclosure to affiliated organizations
• Network and information security (e.g., server logs may be reviewed for security purposes – e.g., to detect unauthorized activity on the Services. In such cases, server log data containing IP addresses may be shared with law enforcement bodies in order that they may identify users in connection with their investigation of the unauthorized activities.)
• Physical security
• Exercise of the right to freedom of expression or information, including in the media and the arts
• Unsolicited non-commercial messages, including for political campaigns or charitable fundraising
• Enforcement of legal claims including debt collection via out-of-court procedures
• Prevention of fraud, misuse of services or money laundering
• Employee monitoring for safety or management purposes
• Whistle-blowing schemes
• Processing for historical, scientific or statistical purposes
3.4 Instances where we may share personal information
General: We will share your Personal Information with third parties only as described in this Policy. We do not sell your Personal Information to third parties.
Vendors and Service Providers: In some cases WhiteHat may share Personal Information with our vendors and service providers who assist us to collect, use, analyze, and otherwise process information on our behalf. It is our practice to require such service providers to handle information in a manner consistent with WhiteHat’s policies and to use your Personal Information only as necessary to provide these services to us.
Business Partners: WhiteHat may share Personal Information with our business partners, affiliates, and for our affiliates’ internal business purposes or to provide you with a product or service that you have requested. WhiteHat may also provide Personal Information to business partners with whom we may jointly offer products or services, or whose products or services we believe may be of interest to you. In such cases, our business partner’s name will appear, along with WhiteHat’s. We require our affiliates and business partners to agree in writing to maintain the confidentiality and security of Personal Information they maintain on our behalf and not to use it for any purpose other than the purpose for which WhiteHat provided it to them.
To Protect Ourselves or Others: We may access, preserve, and disclose your Personal Information, other account information, and content if we believe doing so is required or appropriate to: (i) comply with law enforcement or national security requests and legal process, such as a court order or subpoena; (ii) respond to your requests; (iii) protect yours’, ours’ or others’ rights, property, or safety; (iv) to enforce WhiteHat policies or contracts; (v) to collect amounts owed to WhiteHat; (vi) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity; or (vii) if we, in good faith, believe that disclosure is otherwise necessary or advisable.
Merger, Sale, or Other Asset Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, then your information may be sold or transferred as part of such a transaction as permitted by law and/or contract. Should such an event occur, WhiteHat will endeavor to direct the transferee to use Personal Information in
a manner that is consistent with the Policy in effect at the time such Personal Information was collected.
Testimonials: We may display personal testimonials of satisfied customers on our site in addition to other endorsements. With your consent we may post your testimonial along with your name. If you wish to update or delete your testimonial, you can contact the WhiteHat Privacy Contact as described below.
Public Profiles: The profile you create on our website will be publicly accessible unless otherwise indicated. You may change the privacy settings of your profile through your account portal.
Privacy Shield: With respect to onward transfers to Agents under Privacy Shield, Privacy Shield requires that WhiteHat remain liable should its Agents Process Personal Information in a manner inconsistent with the Privacy Shield Principles.
Data Transfers: All Personal Information collected via or by WhiteHat may be stored anywhere in the world, including but not limited to, in the United States, in the cloud, on our servers, on the servers of our affiliates or the servers of our service providers. Your Personal Information may be accessible to law enforcement or other authorities pursuant to a lawful request. By providing information to WhiteHat, you consent to the storage of your Personal Information in these locations.
4. CHOICE – YOUR ABILITY TO OPT OUT OF NOTIFICATIONS
Where you have consented to WhiteHat’s processing of your Personal Information, you may withdraw that consent at any time and opt out of further processing by following the instructions in this section. Even if you opt out, we may still collect and use non-Personal Information regarding your activities on our websites and/or information from the advertisements on Third-Party websites for non-interest based advertising purposes, such as to determine the effectiveness of the advertisements.
4.1 Email and Telephone Communications
If you would like to discontinue receiving promotional communications from us, you may update your email preferences by using the “Unsubscribe” link found in emails we send to you. You may also change your preferences online at https://info.whitehatsec.com/Subscription-Management.html.
Note that even if you opt out, you will continue to receive transaction-related emails regarding products or services you have requested. We may also send you certain communications regarding WhiteHat and our Services and you will not be able to opt out of those communications (e.g., communications regarding updates to our Terms of Service or this Policy, information regarding the security, initial use, expiration, product enhancement or migration of our products or services from this site).
We maintain telephone “do-not-call” and “do-not-mail” lists as mandated by law. We process requests to be placed on do-not-mail, do-not-phone and do-not-contact lists within 60 days after receipt, or such shorter time as may be required by law.
4.2 “Do Not Track”
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. WhiteHat does not recognize or respond to browser-initiated DNT signals. For information about “do-not-track”, please visit https://allaboutdnt.com/.
4.3 Cookies and Interest-Based Advertising
You may stop or restrict the placement of cookies on your computer or remove them from your browser by adjusting your web browser preferences. Please note that cookie-based opt-outs are not effective on mobile applications. However, on many mobile devices, application users may opt out of certain mobile ads via their device settings.
The online advertising industry also provides websites from which you may opt-out of receiving targeted ads from our data partners and our other advertising partners that participate in self-regulatory programs. You can access these, and also learn more about targeted advertising and consumer choice and privacy, at www.networkadvertising.org/managing/opt_out.asp , or http://www.youronlinechoices.eu/ and www.aboutads.info/choices/. You can also choose not to be included in Google Analytics here.
To be clear, whether you are using our opt-out or an online industry opt-out, these cookie-based opt-outs must be performed on each device and browser that you wish to have opted out. For example, if you have opted out on your computer browser, that opt-out will not be effective on your mobile device. You must separately opt out on each device. Advertisements on Third-Party websites that contain the AdChoices link and that link to this Policy may have been directed to you based on anonymous, non-Personal Information collected by advertising partners over time and across websites. These advertisements provide a mechanism to opt out of the advertising partners’ use of this information for interest-based advertising purposes.
5. THIRD-PARTY LINKS
Our website may contain links to other websites for news and other informa
tion. Our Policy only applies to the WhiteHat website and we are not responsible for the privacy practices or the content of other websites. You should check the privacy policies of those sites before providing your Personal Information to them.
6. RIGHTS OF ACCESS, RECTIFICATION, ERASURE, AND RESTRICTION
You may inquire as to whether WhiteHat is processing Personal Information about you, request access to your Personal Information, and ask that we correct, amend, or delete your Personal Information where it is inaccurate or has been Processed in violation of the Privacy Shield Principles. Where otherwise permitted by applicable law, you may send an e-mail to mailto: email@example.com or use any of the methods set out in this Policy to request access to, receive (port), restrict processing, seek rectification, or request erasure of Personal Information held about you by WhiteHat. Such requests will be processed in line with local laws.
Although WhiteHat makes good faith efforts to provide Individuals with access to their Personal Information, there may be circumstances in which WhiteHat is unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the Individual’s privacy in the case in question or where it is commercially proprietary. If WhiteHat determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries. To protect your privacy, WhiteHat will take commercially reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.
7. DATA RETENTION
WhiteHat will retain Personal Information for as long as needed to provide Services or as otherwise permitted by law. WhiteHat will retain and use this Personal Information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
We consider the protection of all Personal Information we receive as critical. Please be assured that we have security measures in place to protect against the loss, misuse, and alteration of any personal information we receive from you. As with any transmission over the Internet, however, there is always some element of risk involved in sending personal information. In order to try to minimize this risk, we encrypt all information that you submit in ordering the Services using the Secure Sockets Layer (SSL) protocol.
9. CHILDREN’S PRIVACY
Because of the nature of our business, this website is not designed to appeal to children under the age of 13 (or 16 in certain jurisdictions) and we do not knowingly request or receive any information from children under the age of 13 (or 16 in certain jurisdictions). If you learn that your child has provided us with Personal Information without your consent, you may alert us at firstname.lastname@example.org. If we learn that we have collected any Personal Information from children under 13 (or 16 in certain jurisdictions), we will promptly take steps to delete such information and terminate the child’s account.
10. INTERNATIONAL USERS
By using the website, you will transfer data to the United States. By choosing to visit the website, utilize the Services or otherwise provide information to us, you agree that any dispute over privacy or the terms contained in this Policy will be governed by the laws of the State of California and the adjudication of any disputes arising in connection with WhiteHat or the website will be in accordance with the Terms.
If you are visiting from the European Union or other regions with laws governing data collection and use, please note that you are agreeing to the transfer of your information to the United States and processing globally. By providing your Personal Information, you consent to any transfer and processing in accordance with this Policy.
11. CALIFORNIA PRIVACY RIGHTS
California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the Third Parties to whom we have disclosed their Personal Information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of Personal Information disclosed to those parties. WhiteHat does not share Personal Information with Third Parties for their own marketing purposes.
12. CHANGES TO THIS POLICY
We may update this Policy to reflect changes to our information practices. If we make any material changes we may notify you by email or by means of a notice on this site prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.
13. REDRESS / COMPLIANCE
If you are an EU citizen and feel that WhiteHat is not abiding by the terms of this Policy or is not in compliance with the Privacy Shield Principles, please contact WhiteHat at the contact information provided below.
In addition, WhiteHat has agreed to refer unresolved complaints related to Personal Information to JAMS Privacy Shield Dispute Resolution Program and, with respect to Employee and human resources data, has committed to cooperate with the panel established by local data protection authorities and comply with the advice given by the panel for EU citizens. For more information and to submit a complaint regarding individual data to JAMS, a dispute resolution provider which has locations in the United States and EU, visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim.
Such independent dispute resolution mechanisms are available to citizens free of charge. If any request remains unresolved, you may contact the national data protection authority for your EU Member State.
You may also have a right, under certain conditions, to invoke binding arbitration under Privacy Shield; for additional information, see https://www.privacyshield.gov/article?id=ANNEX-I-introduction. The FTC has jurisdiction over WhiteHat’s compliance with the Privacy Shield.
This Policy shall be implemented by WhiteHat and all its operating divisions, subsidiaries and affiliates. WhiteHat has put in place mechanisms to verify ongoing compliance with Privacy Shield Principles and this Policy. Any Employee who violates these privacy principles will b
e subject to disciplinary procedures.
14. CONTACT INFORMATION
If you have questions about WhiteHat’s Policy, please contact us at:
1741 Technology Drive, Suite 300
San Jose, CA 95110
telephone: +1 (408) 343-8300
The following capitalized terms shall have the meanings herein as set forth below.
“Agent” means any Third Party that Processes Personal Information pursuant to the instructions of, and solely for, WhiteHat or to which WhiteHat discloses Personal Information for use on its behalf.
“Employee” refers to any current, temporary, permanent, prospective or former employee, director, contractor, worker, or retiree of WhiteHat or its subsidiaries worldwide.
“Privacy Shield Principles” means the seven (7) principles of the Privacy Shield Framework: (1) notice, (2), choice, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access, and (7) recourse, enforcement, and liability. Additionally, it includes the sixteen (16) supplemental principles described in the Privacy Shield: (1) sensitive data, (2) journalistic exceptions, (3) secondary liability, (4) performing due diligence and conducting audits, (5) the role of the data protection authorities, (6) self-certification, (7) verification, (8) access, (9) human resources data, (10) obligatory contracts for onward transfers, (11) dispute resolution and enforcement, (12) choice – timing of opt-out, (13) travel information, (14) pharmaceutical and medical products, (15) public record and publicly available information, and (16) access requests by public authorities.
“Process” or “Processing” means any operation which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Sensitive Data” or “Sensitive Personal Information” is a subset of Personal Information which, due to its nature, has been classified by law or by policy as deserving additional privacy and security protections. Sensitive Personal Information includes Personal Information regarding EU residents that is classified as a “Special Category of Personal Data” under EU law, which consists of the following data elements: (1) race or ethnic origin; (2) political opinions; (3) religious or philosophical beliefs; (4) trade union membership; (5) genetic data; (6) biometric data where Processed to uniquely identify a person; (6) health information; (7) sexual orientation or information about the Individual’s sex life; or (8) information relating to the commission of a criminal offense.
“Third Party” is any company, natural or legal person, public authority, agency, or body other than the Individual, WhiteHat or WhiteHat’s Agents.