Effective Date: January 1, 2020

This is the Privacy Policy of IPInstrument, Inc. and its wholly-owned subsidiaries (collectively, “IPInstrument,” “IPI,” “we,” “our,” or “us”). We provide security solutions that help protect the data and systems of our business customers from continually evolving risks. It is IPInstrument’s policy to provide security and privacy. Each is important, and they are sometimes co-dependent. We believe in Security by Design and Privacy by Design. This Privacy Policy covers IPInstrument’s handling of two categories of information:

This Privacy Policy includes details specific to Processor Data, details specific to Controller Data, and information relevant to our handling of both kinds of data.

1. Privacy Practices Specific to Processor Data

a. Types of Processor Data We Collect

We receive information from or on behalf of our customers and their users, and for most of such data, we act as a “processor.” Because of the nature of the IPInstrument Services, this information may contain any type of personal data. For example, we may collect the following categories of information, that may be Processor Data, through the IPInstrument Services:

Some of the technical information listed above is considered personal data in certain contexts. IPInstrument also collects Processor Data through the technology described in the “Cookies and Similar Automated Data Collection” section below. We use Processor Data as described in the following section.

b. Uses of Processor Data

Subject to our contractual obligations, and depending on the particular IPInstrument Services, we may use and disclose the information described above (sometimes in combination with other information we obtain, such as from our customers) as follows:

o   Providing maintenance and technical support

o   Providing product upgrades

o   Addressing security and business continuity issues

o   Analyzing and improving the IPInstrument Services

Many IPInstrument Services use automated technology to recognize and defend against cybersecurity risks, such as by blocking or quarantining suspected malicious data. To better protect our customers and assist them with their own security compliance, some IPInstrument Services use external threat information gathered in these situations to improve security for customers of IPInstrument Services in similar situations. For example, if certain IPInstrument services determine that a hacker is attacking some of our customers, we may use information about that threat in order to help protect other customers from similar attacks. This provides our customers’ data with much better protection than what would be possible if our services could not learn from experience. We handle “Threat Data” like this as described in the “Privacy Practices Specific to Controller Data” section below.

c. Disclosures of Processor Data

Subject to our contractual obligations, and depending on the particular IPInstrument Services, we may disclose the information described above as follows:

For those purposes, we may share information with our affiliates and other entities that help us with the activities described in this Privacy Policy.

2. Privacy Practices Specific to Controller Data

a. Types of Controller Data We Collect

As described above, we act as a processor for most of the IPInstrument Services. We are, however, a “controller” under applicable law with respect to Controller Data. Controller Data includes two general categories of data: Business Data and Threat Data.

For example, we may collect certain data about customers, prospective customers, partners and their personnel (“Business Data”), which may include:

We obtain Business Data directly from the relevant individuals or their employers, and also from third-party sources, such as distributors, resellers and partners, credit card issuers, clearinghouses, data brokers, fraud databases, referrals from customers and users, as well as publicly available sources such as company websites.

In connection with some IPInstrument Services, IPInstrument is also considered a controller of certain personal data relevant to security threats, i.e. “Threat Data.” To the extent it is personal data, IP addresses, device identifiers, URLs, and other data associated with malicious activity are part of Threat Data. We obtain Threat Data through IPInstrument Services, publicly available sources such as online forums, other security providers and researchers, and independent research.

IPInstrument also collects Business Data and Threat Data through the technology described in the Cookies and Similar Automated Data Collection section below. We use all Controller Data as described in the following section.

b. Uses of Controller Data (Business Data and Threat Data)

IPInstrument uses Controller Data as follows:

c. Disclosures of Controller Data (Business Data and Threat Data)

Subject to our contractual obligations, we share the information described above as follows:

For those purposes, we may share information with our affiliates and other entities that help us with the activities described in this Privacy Policy.

d. Legal Bases for Processing Controller Data (Business Data and Threat Data)

The laws in some jurisdictions require companies to tell you about the legal ground they rely on to use or disclose your personal data. To the extent those laws apply, our legal grounds for processing Controller Data are as follows:

o   Protecting our business, personnel and property

o   Providing cybersecurity, including for the protection of personal data

o   Customer service

o   Marketing

o   Analyzing and improving our business; and/or

o   Managing legal issues

We may also process personal data for the same legitimate interests of our customers and business partners.

3. Additional Information About Our Privacy Practices (applicable to both Processor Data and Controller Data)

a. Personal Data Rights and Choices (including Direct Marketing Opt-Out)

We offer the options described below for exercising rights and choices under applicable law. Many of these are subject to important limits or exceptions under applicable law.

In addition, the law of your jurisdiction (for example, within the European Economic Area) may give you additional rights to request access to and rectification or erasure of certain of your personal data we hold. In some cases, you may be entitled to receive a copy of the personal data you provided to us in portable form or to request that we transmit it to a third party. The law may also give you the right to request restrictions on the processing of your personal data, to object to processing of your personal data, or to withdraw consent for the processing of your personal data (which will not affect the legality of any processing that happened before your request takes effect).

You may contact us as described below to make these requests.

b. Notice to California Residents

Except where expressly noted, the subsections below apply only to California residents’ “personal information” about California residents, as that term is defined in the California Consumer Privacy Act (“CCPA”), and they supplement the information in the rest of our Privacy Notice above. Data about individuals who are not residents of California is handled differently and is not subject to the same rights described below. Californians who wish to exercise the rights described here with respect to Processor Data should contact the customer on whose behalf we handle the data. The rest of this California section applies only to Controller Data.

CCPA summary of information practices

IPInstrument collects all of the information described in Sections 2(a) and 3(e) of this Privacy Policy from and about California residents. In CCPA terms, we may use and disclose (and in the past 12 months have used and disclosed) this information purposes described in Sections 2 and 3 of our Privacy Notice. In some cases, the link between the data and the use or disclosure was more direct than others. Not all information in a particular category was necessarily used for all of the purposes, collected from all the sources, or disclosed to all of the recipients, that are listed in that category. Again, data about residents of other jurisdictions is handled in different ways. In more detail:

CCPA categories of California information collectedPurposes of use of the California personal informationSources of the personal informationCategories of third parties with whom we share the information
Identifiers (such as name, address, email address and other contact information, IP addresses)All purposes described in Sections 2(b) and 3(e)Data subjects, distributors, resellers and partners, credit card issuers, clearinghouses, data brokers, fraud databases, referral sources, customers, users, other security providers and researchers, as well as publicly available sources such as company websitesService providers, affiliates, customers, distributors, governmental entities, partners, suppliers, security researchers, employers and in special cases other third parties.
Commercial information (such as information about an individual’s interests and interactions with IPInstrument or our partners, including transaction data)All purposes described in Sections 2(b) and 3(e)Data subjects, distributors, resellers and partners, credit card issuers, clearinghouses, data brokers, fraud databases, referral sources, customers, users, other security providers and researchers, as well as publicly available sources such as company websitesAll of the above.
Internet or other network or device activityAll purposes described in Sections 2(b) and 3(e)Data subjects, distributors, resellers and partners, credit card issuers, clearinghouses, data brokers, fraud databases, referral sources, customers, users, other security providers and researchers, as well as publicly available sources such as company websitesAll of the above.
Visual information (such as photographs collected from certification candidates for identity verification and test security)To manage our relationships with customers, partners, suppliers, event attendees, and others; to enforce the legal terms that govern our business and online properties; to provide security and business continuity; to comply with law and protect rights, safety, and property; for other purposes requested or permitted by our customers or users, or as reasonably required to perform our business.Data subjects, their employersService providers, affiliates, customers, employers and in special cases other third parties.
Geolocation informationAll purposes described in Sections 2(b) and 3(e)Data subjectsService providers, affiliates, customers, employers and in special cases other third parties.
Categories of personal information described in California Civil Code Section 1798.80(e)All of the aboveAll of the aboveAll of the above

CCPA privacy rights

If you are a California resident, California law may permit you to request that we:

Certain information is exempt from such requests under applicable law. You also may have the right to receive information about the financial incentives that we offer to you (if any). You also have certain rights under the CCPA not to be subject to certain negative consequences for exercising CCPA rights.

To request to exercise any of these rights and receive the fastest response, please email us at [email protected]. You will be required to verify your identify before we fulfill your request.

You can also designate an authorized agent to make a request on your behalf. To do so, you must provide us with sufficient written authorization or a power of attorney, signed by you, for the agent to act on your behalf. You will still need to verify your identity directly with us. For security and legal reasons, however, IPInstrument will not accept requests that require us to access third-party websites or services.

CCPA “sale” of California personal information

The CCPA requires businesses that “sell” personal information, as the term “sell” is defined under the CCPA, to provide an opt-out from such sales. Some people have taken the position that when a website uses third parties’ cookies or similar technology for its own analytics or advertising purposes, the website is engaged in a “sale” under the CCPA if the third parties have some ability to use, disclose or retain the data to improve their service or to take steps beyond the most narrowly drawn bounds of merely providing their service to the website/app. Some take this position even when the website pays the third party (not vice versa), and in most cases merely provides the third party with an opportunity to collect data directly, instead of providing personal information to the third party. If you take the position that use of these sorts of technology involves a “sale” within the meaning of the CCPA, then you may consider IPInstrument to have “sold” what the CCPA calls “identifiers” (like IP addresses), “internet or other electronic network activity information” (like information regarding an individual’s browsing interactions on IPInstrument.com), and “commercial information” (like the fact that a browser visited a page directed to people who are considering purchasing from us) to those sorts of companies. To put limits on the collection and/or use of data in these sorts of situations, please use all of the control options described in Section 3(e) below.

Deletion of your online posts 

Under a separate California law, minors may request deletion or anonymization of content or information they have posted on our websites or online spaces (such as in a public forum), by using the self-service option in the relevant website or online space (if available) or by contacting us as described below. We will handle such requests under applicable law. Where the request is made under that California law, this process does not ensure complete or comprehensive removal of the content or information.

c. Notice to Nevada Residents

d. Aggregate or De-Identified Data

Subject to applicable law and our contractual obligations, (i) we may aggregate or de-identify Controller Data or Processor Data so that the information cannot be linked to the relevant individual and (ii) our use and disclosure of aggregated, anonymized, and other non-personal information is not subject to any restrictions under this Privacy Policy, and we may disclose it to others without limitation for any purpose.

e. Cookies and Similar Automated Data Collection

In our websites, apps and emails, we and third parties may collect certain information by automated means such as cookies, Web beacons, JavaScript and mobile device functionality. This information may include unique browser identifiers, IP address, browser and operating system information, device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation, other device information, Internet connection information, as well as details about individuals’ interactions with our apps, websites and emails (for example, the URL of the third-party website from which you came, the pages on our website that you visit, and the links you click on in our websites).

We and third parties may use automated means to read or write information on users’ devices, such as in various types of cookies and other browser-based or plugin-based local storage (such as HTML5 storage or Flash-based storage).

Cookies and local storage are files that contain data, such as unique identifiers, that we or a third party may transfer to or read from a user’s device for the purposes described in this Privacy Policy, such as recognizing the device, service provision, record-keeping, analytics and marketing, depending on the context of collection.

You may be able to set your web browser to refuse certain types of cookies, or to alert you when certain types of cookies are being sent. Some browsers offer similar settings for HTML5 local storage, and Flash storage can be managed here. However, if you block or otherwise reject our cookies, local storage, JavaScript or other technologies, certain websites (including our own websites) may not function properly.

These technologies help us (a) keep track of whether you are signed in or have previously signed in so that we can display all the features that are available to you; (b) remember your settings on the pages you visit, so that we can display your preferred content the next time you visit; (c) display personalize content; (d) perform analytics, and measure traffic and usage trends, and better understand the demographics of our users; (e) diagnose and fix technology problems; and (f) otherwise plan for and enhance our business.

Also, in some cases, we facilitate the collection of information by advertising services administered by third parties. The ad services may track users’ online activities over time by collecting information through automated means such as cookies, and they may use this information to show users ads that are tailored to their individual interests or characteristics and/or based on prior visits to certain sites or apps, or other information we or they know, infer or have collected from the users. For example, we and these providers may use different types of cookies, other automated technology, and data (i) to recognize users and their devices, (ii) to inform, optimize, and serve ads and (iii) to report on our ad impressions, other uses of ad services, and interactions with these ad impressions and ad services (including how they are related to visits to specific sites or apps).

To learn more about interest-based advertising generally, including how to opt out from the targeting of interest-based ads by some of our current ad service partners, visit aboutads.info/choices or youronlinechoices.eu from each of your browsers. You can opt out of Google Analytics and customize the Google Display Network ads by visiting your Google Ads Settings. Google also allows you to install a Google Analytics Opt-out Browser Add-on for your browser. If you replace, change or upgrade your browser, or delete your cookies, you may need to use these opt-out tools again. We do not respond to browser-based do-not-track signals.

Please visit your mobile device manufacturer’s website (or the website for its operating system) for instructions on any additional privacy controls in your mobile operating system, such as privacy settings for device identifiers and geolocation.

f. International Data Transfers

IPInstrument and the recipients of the data disclosures described in this Privacy Policy have locations in the United States, Canada and elsewhere in the world, including where privacy laws may not provide as much protection as those of your country of residence. IPInstrument data centers for Processor Data are located primarily in Canada. We comply with legal requirements for cross-border data protection, including through the use of European Commission-approved Standard Contractual Clauses and, in some cases, a third party’s participation in the EU-U.S. or Swiss-U.S. Privacy Shield Framework. To exercise any legal right to request data transfer mechanism documents that IPInstrument uses to transfer data to third parties, please contact us.

Certain IPInstrument Services allow our customers and users to make international data transfers to third parties, for which they are solely responsible.

g. Security

We have put in place physical, electronic, and managerial procedures to safeguard data and help prevent unauthorized access, to maintain data security, and to use correctly the data we collect. However, we cannot assure you that data that we collect will never be used or disclosed in a manner that is inconsistent with this Privacy Policy.

If a password is used to help protect your personal information, it is your responsibility to keep the password confidential. Do not share this information with anyone.

h. Data Retention

We will retain your information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by law. To provide security and business continuity for the activities described in this Privacy Policy, we make backups of certain data, which we may retain for longer than the original data. 

i. Notification of Changes

IPInstrument reserves the right to change this Privacy Policy at any time to reflect changes in the law, our data collection and use practices, the features of our services, or advances in technology. Please check this page periodically for changes. Any updated Privacy Policy will be posted on IPInstrument.com via a hyperlink in the footer or other convenient location.

j.How to Contact Us

To request to exercise any of these rights and receive the fastest response, please email us at [email protected].