1. WE CARE ABOUT YOUR PRIVACY
This Privacy Statement, which is made effective July 1, 2021, has been prepared by HYAS Infosec Inc. (“HYAS,” “we,” “us,” or “our”) and sets out the manner in which HYAS collects, uses, stores, transfers, discloses, manages and otherwise processes your personal information, including the data collected through our website (located at http://www.hyas.com; “Website”) and through other interactions.
Our visitors’ privacy and the privacy and protection of the data that is held by HYAS is of the utmost importance to us:
We have a duty of care to the people whose personal information we process.
We only collect and process the data that we need – nothing more.
We do not hold on to your personal information for longer than is needed.
Except as provided in this Privacy Statement or as otherwise agreed by you, we will not sell, transfer or otherwise process the personal information that we collect from you.
We will not cause your private personal information to become public (unless we are required to do so in order to comply with a legal obligation).
We endeavor to use such technical and organizational measures as are appropriate to the protection of your personal information, in light of the applicable processing activity and data type; however, we cannot guarantee the complete security of such personal information, as unauthorized entry or use, hardware or software failure and other factors may compromise such information at any time.
We ask that you read through this Privacy Statement, so that you may familiarize yourself with our privacy-related practices and policies.
If you do not agree with the privacy practices that are described in this Privacy Statement and the webpages that contain more information on such practices (whose links are embedded herein), you may refrain from using this Website, our products and our services.
2. CHANGES TO THIS PRIVACY STATEMENT
This Privacy Statement and the links to the pages that are embedded herein, including the content contained within such links may be updated periodically to reflect changes to our personal information practices. The current version of this Privacy Statement will always be posted on our Website. For the latest information about our personal information practices, we strongly encourage you to refer to our Website and this Privacy Statement often.
3. RELEVANT LEGISLATION
Our Website, along with this Privacy Statement and our internal data policies, is intended to comply with the following pieces of legislation:
EU General Data Protection Regulation 2018 (GDPR)
California Consumer Privacy Act of 2018 (CCPA)
Other applicable data privacy/protection laws, including Canadian legislation
By complying with the above legislation, we and this Website should also be in compliance with the data privacy and protection requirements of many other countries and territories. However, if you have any concerns regarding our or our Website’s handling of data, please contact us per the contact information found below (see section 15: Contact Information & Data Protection Officer).
4. YOUR PERSONAL INFORMATION: WHAT WE COLLECT FROM YOU DIRECTLY & WHAT THIS DATA IS USED FOR
The meaning of the term “personal information”, a.k.a. “personal data” and “personally identifiable information”, may vary in accordance with the data privacy/protection laws that are being referenced. Personal information generally means information that identifies, relates to, describes, is capable of being associated with, or could be reasonably linked (directly or indirectly) to a particular, identifiable individual. If you are a California consumer, it may also refer to a reasonably identifiable household. Examples of personal information include various identifiers, such as your name, physical address, phone number and email address. Personal information may additionally include certain data types that are capable of identifying you indirectly, including, for example, information related to your internet activity.
This section 4 describes the manner in which we collect your personal information from you, directly. This section additionally provides you with information concerning what we use your personal information for. For purposes of this Privacy Statement, we refer to such of your personal information as we collect from a source other than you as “Source Data”. Accordingly, for more information regarding our collection and use of Source Data, please refer to section 5 (Source Data: What We Collect & What This Data Is Used For), below.
The only cases in which we may “sell” personal information, as defined under the CCPA, occur in the context described in section 5 (Source Data: What we Collect and What This Data is Used For), below, or if we were to sell or transfer any part of our business; absent the sale of our business, we do not, and will not, sell the personal information of any individual that is collected by us directly from such individual. All other transfers of your personal information occur in the course of us and our service providers providing you with the products and services described in this section, and to the best of our knowledge, we do not collect or otherwise process, the personal information of minors under the age of 16.
The following are examples of situations where we may collect your personal information from you, directly – this may occur when you:
Request HYAS content or schedule a demonstration on our Website;
Participate in a security or informational webinar hosted or co-hosted by us;
Enter into a contract with us, either directly or through your employer;
Sign up to attend an event hosted or co-hosted by us;
Sign up to receive promotional communications;
Participate in our surveys or customer research;
Apply for employment at HYAS or enter into a working relationship with HYAS;
Contact us with a comment, question or complaint, or to make a request.
HYAS Content Requests and/or Scheduling of Demonstrations: You do not have to register to visit and browse certain features of our Website. However, to subscribe to or view HYAS content (for example: whitepapers and e-books) or to schedule a demonstration, you may be required to provide your name, certain business information, such as your title (i.e., your role with your employer), email address and physical address or regional location. You may additionally be asked for your contact preferences and for your consent to marketing and promotional communications. More information on how this information is used as well as to how you may manage your contact preferences to modify or opt out of future communications may be found in sub-section B of this section 4, below.
Entering into a Contract with HYAS: If you are or become, or the company through which you are employed is or becomes, our customer (via a separate contract for our products and/or professional services), or if we enter into negotiations concerning some other agreement, whether or not we enter into such agreement, then we may need to collect certain personal information from you to enable us to refine and process contractual terms, verify and process payments, authorize your access to our products and services, and/or fulfill our contractual obligations to you or your employer, as applicable. Please refer to section 7 (Customer/Contractual Information), below, for further details in this respect.
Events: Whenever HYAS hosts or co-hosts an event, all co-hosts will be disclosed in the promotional materials for such event. As a condition of your participation, you may be asked to provide your consent to our and our co-hosts (each a “Co-Host” and collectively, the “Co-Hosts”) use and transfer, amongst one-another, of your personal information, to allow for the collective planning, promotion, facilitation and execution of the event and to enable each Co-Host to advertise and organize future events. Your voice and/or likeness may be captured at the event, and in some cases, you may be asked to provide your prior consent to the Co-Hosts’ use of such material for the Co-Hosts’ marketing and/or promotional purposes, as a condition of your participation. Other personal information that may be collected at or leading up to an event may vary. At minimum, we will ask for your name, company name, email address and phone number, and when asked to disclose such information, we will always clarify the purposes for which such information is collected and will be disclosed, as well as the Co-Hosts’ intended uses for such information. Accordingly, in disclosing such information, you will have consented to the same. Subject to any other terms and conditions of your consent, any personal information that is gathered by a Co-Host before, at or after an event, including, for example, by way of an event-related survey, may additionally be used by any or all Co-Hosts to understand industry-wide pain points, enhance products and/or service offerings, or for the Co-Hosts’ general marketing purposes.
Promotions: When you participate in a promotion, we may collect your name, company name, physical address, phone number, and email address any other information that you may provide. We use this information to administer your participation in a contest or promotion. At the time that you enter the contest or promotion, we may additionally ask for your consent so that we might send you future marketing and promotional communications.
Surveys and Customer Research: From time to time, we may offer you the opportunity to participate in one of our surveys or other customer research. The information obtained through our surveys and customer research is used in an aggregated, non-personally identifiable form. We use this information to help us understand our customers, to enhance our product and service offerings and to support our promotions and events.
HYAS Working Relationship: In connection with a job application or other inquiry regarding potential or actual employment with HYAS, you may provide us or our third-party service provider (on our behalf) with certain personal information about yourself, such as that contained in a resume, cover letter, LinkedIn profile or in similar employment-related materials (for example: educational information, employment information and employment history). We use this information for the purpose of processing and responding to your application for current and future career opportunities. HYAS’ directors, officers, investors, employees, contractors and advisors may provide additional personal information, which HYAS may use for general human relations purposes, including, for example, to process equity and compensation, and to manage other matters that generally fall into the category of tasks that support of HYAS’ day-to-day operations. Such additional information may include professional and employment-related information, banking information as well as various formal and informal, internal and external communications (i.e., emails, web-conferences, personal messages, etc.).
Customer Service: When you contact us through our third-party provided customer support page with a comment, question or complaint, you may be asked for information that identifies you (such as your name, password, company name, title, email, phone number and address), along with any additional information that we may need to help us promptly answer your question, verify your identification or respond to your comment or complaint. We and such third-party service providers (on our behalf) may retain this information to create a record of your request, assist you in the future, or improve upon our customer service, product and service offerings. We may also request your feedback and other information in support of product and service collaborations with certain third-party contractors and vendors and to further various product and/or services development efforts; however, we will not disclose your personal information without your consent, in doing so.
Should you choose to provide us with your contact information via one of the above methods or by some other means (for example: via a business card), we may ask that you consent to how such information will be used, and accordingly, we may ask that you consent to this Privacy Statement. You may also receive an email from us, within which we may request that you consent to future communications. You are not required to provide your consent, but if you elect not to provide us with your personal information or your consent to our use of such information for the purposes described herein, this may prevent us from communicating with you further or delivering our products and/or services. You may retract your consent at any time, and for more information regarding how to manage your communications preferences or opt out of further communications entirely, please read through sub-sections A and B of this section 4, below.
Subject to your having withdrawn your consent, we rely on your consent in addition to any contract that is put into place between us (if applicable), as the legal basis under which we may process the personal information that we receive from you directly.
While this Website collects and uses your personal information for the foregoing reasons, none of the personal information or other data that you supply to us in accordance with this section 4 is stored by our Website. Your personal information may be passed to, stored or otherwise processed by any of our third-party data processors, who are identified in section 8 (Our Third-Party Data Processors), below.
A. SITE VISITATION TRACKING
We use this data to understand how our Website is being used, for example:
The number of people using it;
The pages visitors visit;
Where visitors enter the site;
Where visitors come from;
Where visitors exit; and
The demographics of our visitors.
We consider Google to be a third-party data processor (for more information on our third-party service providers, please refer to the below section 8, Our Third-Party Data Processors, for further details):
GA records data, such as: geographical location, device, internet browsers and operating system. It does not personally identify you to us. While GA also records your device’s IP address, which could be used to personally identify you, GA does not grant us access to this data.
You may prevent the storage of data relating to your use of the Website and created via the cookie (including your IP address) by GA, as well as the processing of this data by GA, by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
You can also obtain additional information on GA’s collection and processing of data and data privacy and security at the following links: https://policies.google.com/technologies/partner-sites and https://support.google.com/analytics/topic/2919631.
B. CONTACT FORMS AND LINKS PROVIDED THROUGH OUR WEBSITE OR IN A MARKETING/PROMOTIONAL EMAIL
If you contact us via a contact form on our Website or if you click on a link that is embedded in a marketing or promotional email that you receive from us, we may ask that you provide us with your personal information and consent to this Privacy Statement. You may also be asked to consent to further communications, and should you elect to provide such consent, you may manage your communications preferences, i.e., the types of communications that you wish to receive from us, or opt out of such communications entirely, at any time, by clicking on the link that may be found at the base of any such email communication sent by us to you. Alternatively, to fully opt-out of all email communications, you may click on the following link and submit a request to retract your earlier consent.
Please note that, email communications initiated directly with HYAS’s personnel and agents do not include an opt-out option. As such, ongoing communications between you and such individuals imply that you have consented to the receipt of such emails. Should you wish to stop receiving these communications, please contact such person directly.
Again, while you are not required to provide us with your personal information, if you elect not to provide us with this information or should you opt-out of certain communications, we may not be able to deliver answers to your inquiries or requests, and this could prevent us from administering associated products and/or services.
5. SOURCE DATA: WHAT WE COLLECT & WHAT THIS DATA IS USED FOR
This section 5 describes the manner in which we collect Source Data from our various data sources. Consequently, this section 5 is also meant to provide you with more information concerning how and for what purposes we process Source Data.
Subject to you having effectively retracted your consent to, or opted out of, the re-sale of the portion of Source Data that contains your personal information (per the relevant data source’s online subscription terms, written contract(s) or other agreement(s) that you may have entered into), HYAS may continue to receive, store and otherwise use your personal information.
The Source Data that HYAS collects is restructured as it is received. It is then combined and supplemented with data that had been previously collected by HYAS, thus forming a separate and discrete data set that is proprietary to HYAS (“HYAS’ Data”).
HYAS’ Data may then be transferred and sold to, for access by, HYAS’ customers via HYAS’ products and/or services. HYAS’ Data may also be transferred to our third-party data integration partners, in support of enabling customer access to HYAS’ Data via said integration partners’ platform and for performing ongoing support services related to such data access. In such cases, the data may be processed and transferred outside of the European Economic Area and Canada, to the United States and other countries. To the extent that an individual third-party data integration partner or customer determines the purpose and means by which HYAS’ Data is processed, they shall be considered to independently control such data.
As concerns California residents, the CCPA presently outlines the categories of personal information that are considered to be personal information (as of the date of this Privacy Statement, this information may be found under sub-section 140(v)(1) of Section 1798.140; this sub-section provides the definition for “personal information” that should be applied in interpreting the CCPA). For example, as part of the services that HYAS provides to its customers, HYAS may draw inferences and/or create profiles of potential threat actors, and inference data is considered to be personal information under the CCPA and other data protection laws.
The definition of personal information that is provided under the CCPA is similar, if not broader than, other data privacy/protection laws, and because our data set is considered to be our proprietary information, we must refrain from disclosing the specific categories that we collect. Accordingly, we ask that you assume that the Source Data that we receive may consist of any or all of the personal information that falls into the categories listed under the CCPA and other data privacy/protection laws (though it may also include other information, which does not constitute personal information). Should you have any questions or concerns with respect to how we have categorized Source Data in this Privacy Statement, we suggest that you contact us, per section 15 (Contact Information and Data Protection Officer), below.
Those of HYAS’ products and services that contain HYAS’ Data are provided to our customers, subject to such products and/or services being utilized solely for the purpose of preventing, detecting, investigating and/or protecting against security incidents as well as malicious, deceptive, fraudulent or illegal activities. In some cases, we and/or our customers may additionally become involved in, and use this data for, the pursuit and prosecution of those involved in such activities. HYAS customers’ rights in the processing of HYAS’ Data may be offered on a paid, unpaid or on a trial basis, and in all such cases, a customer’s (and their representatives’) use of HYAS’ Data is limited to these business purposes. Accordingly, our customers generally fall into one of two groups: (a) the security and/or threat intelligence teams of various businesses and government entities and (b) qualified law enforcement personnel.
6. ABOUT THIS WEBSITE
This Website is hosted by our third-party service provider: Hubspot. HubSpot outsources the hosting of its product infrastructure to various leading cloud service providers. More information regarding Hubspot’s security practices may be found at https://www.hubspot.com/security.
7. CUSTOMER/CONTRACTUAL INFORMATION
If you enter into contractual negotiations with us, including, for example, if you are or should you become our customer (by entering into an agreement for our provision to you or your employer of our products and/or services, under which agreement we have agreed to disclose, transfer and/or sell HYAS’ Data), then there will likely be certain details that we will need to obtain from you that will permit us to fulfil such contractual obligations or complete certain tasks, prior entering into such contract (e.g., providing a quote, performing due diligence or assisting you with user account setup and API access to our software as a service (SaaS) applications). With respect to the personal information that we ask that you provide to us for this purpose, we ask only for those details that we need.
This may include:
Your employer and job title;
Your email address;
Your personal home, work or cellular phone number;
Your or your employer’s facsimile (fax) number;
Your or your employer’s postal address; and/or
Your Internet Protocol (IP) address (your connection IP), and
any details that you elect to provide may be stored and accessed by us, on HYAS-owned or approved devices.
In the event of a conflict between this Privacy Statement and the terms and conditions contained within an agreement for our products and/or services, the terms of such agreement shall control. For example, in order for us to be able to communicate to our active and prospective customers in providing important product and service-related notices and alerts, the general marketing and promotional opt out mechanisms communicated to you within this Privacy Statement shall not apply; instead, your options for adjusting your communications preferences and opting out shall be governed by the appropriate written agreement made between us and you (or the company that you work for). As such, all communications concerning the delivery of products and/or services pursuant to such written agreement will terminate at the end of the corresponding engagement.
8. OUR THIRD-PARTY DATA PROCESSORS
We use various third-party service providers to process personal data on our behalf. We only do this where it would be impractical for us to do otherwise. As such, we have carefully selected our service providers, each of which may be based in Canada, the European Union (EU) or the United States (US). We look for service providers who are compliant with the legislation set out in section 3 (Relevant Legislation), above. Our current list of our third-party service providers may be found at the following page: www.hyas.com/third-party-service-providers/. For our latest list of our third-party service providers, please check this page often.
We additionally have in place written agreements with a number of contractors who act on HYAS’ behalf in providing us with sales and marketing services as well as engineering support services. All contractors with access to your personal information are obligated to protect such information pursuant to written agreements that are no less protective than those set out in this Privacy Statement. Further, in cases where there is a bonafide need for disclosure, we may provide your personal information to our legal advisors who are similarly required to protect your personal information pursuant to written agreements and per the common law principal of solicitor-client (attorney-client) privilege.
The processing of your personal information (including any Source Data) by our service providers, contractors and, if the need arises, our legal advisors, is based on the complementary principals of role-based access and least privilege.
9. DISCLOSURE OF PERSONAL INFORMATION
We will not disclose, trade, rent, sell or otherwise transfer your personal information without your consent, except as set out herein.
Service Providers: We may transfer (or otherwise make available) your personal information to third parties who provide solutions or services on our behalf. For example, we may use such service providers to send our emails and host our Website and operate certain of its features. These services are provided either in accordance with a written agreement or pursuant to the relevant service provider’s online standard privacy policies, the provider’s standard online services terms and/or a subscription agreement entered into between HYAS and such provider. Your personal information may be maintained and processed by third-party service providers in the US or other jurisdictions. Our service providers are given the information that they need to perform their designated functions, and we do not authorize them to use or disclose personal information for their own marketing or other purposes.
Business Partnerships: From time to time, we may partner with third parties to provide benefits to our customers and/or registered members of our Website. With your consent, we may exchange the personal information that we have collected from you directly with these third parties. We may also share aggregated, non-identifiable profile and usage data to such parties for marketing and analytics purposes. Further, HYAS’ Data (defined in section 5, Source Data: What We Collect and What This Data is Used For, above) may be made available to third party partners for the purposes of developing or enhancing our and/or our partners’ product offerings, including, for example, by way of technology partnerships and integrations.
Business Transactions: We may transfer any information that you provide to us, in support of a financing event or in connection with a proposed or completed merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of HYAS or as part of a corporate reorganization or other change in corporate control.
Business Purposes: We may transfer, as necessary, your personal information, which was collected in conjunction with, or is reasonably necessary to enforce, contractual terms and conditions, or where such transfer is necessary to support or protect HYAS’ business operations and/or its users. HYAS may transfer HYAS’ Data in conjunction with our provision of our products and/or services to users, on a paid, an unpaid or on a trial basis.
Legal Requirements: HYAS and our service providers may provide your personal information in response to a search warrant or other legally valid inquiry or order, or to an organization in the case of a breach of an agreement or contravention of law, or as otherwise required or permitted by applicable law. We may also disclose personal information where necessary for the establishment, exercise or defense of legal claims, to detect, suppress or prevent fraud and other malicious, deceptive or unlawful activities, and to investigate or prevent actual or suspected loss or harm to persons or property.
We have implemented reasonable administrative, technical and physical safeguards in an effort to protect against unauthorized access, use, modification and disclosure of personal information in our custody and control, including limiting access to our databases to legitimate users and encrypting data at rest.
We have personal information retention processes designed to retain personal information for such duration of time as is necessary for the purposes stated above or to otherwise meet legal requirements.
11. DATA BREACHES
We will report any unlawful data breach of this Website’s database and the database containing HYAS’ Data, or the database(s) of any of our third-party data processors (should we become aware of the same), to any and all relevant persons and authorities, as required by law.
12. DATA RETENTION
We pride ourselves in only storing the data we need.
With that in mind, we conduct an annual data review of the information we hold and delete the personal information that we determine, at our reasonable discretion, is no longer necessary to fulfill the purposes for which it was collected or that we have held for at least twelve (12) months and do not expect to utilize further. Your data may also be removed from our systems when we receive a notice from you to delete your personal information.
We may retain personal information for a longer period only in cases where we must do so to fulfil our contractual or legal obligations.
13. DATA SUBJECT REQUESTS & OTHER RIGHTS THAT YOU MAY HAVE
Subject to limited exceptions prescribed by law, you may be able to exercise certain rights in how your personal information is processed.
For more information regarding what rights may be available to you under relevant data privacy/protection laws, to submit a request pursuant to such legislation, or if you believe that our processing of your personal information may infringe on your data protection rights, please visit www.hyas.com/privacy-related-requests and submit the information required in the webform at the bottom of that page. Alternately, you may submit data privacy/protection-related requests by contacting our DPO via one of the written means listed under section 15 (Contact Information & Data Protection Officer), below. In all such cases, we will respond to you within thirty (30) calendar days.
Similarly, you may direct any data subject or opt-out requests that concern the transmission of Source Data by our third-party data sources to us by contacting the corresponding Source Data provider(s) to whom you had disclosed, or continue to disclose, your personal information. Pursuant to the CCPA as well as other data privacy/protection laws, our data sources may be required to implement your request(s) by notifying us of your decision to opt out. Under the GDPR, you may also lodge a data privacy/protection related complaint with your local or other competent data protection or supervisory authority.
14. DATA CONTROLLER: DATA COLLECTED DIRECTLY FROM YOU & HYAS’ DATA
HYAS Infosec Inc. is the controller of such of your personal information as we have collected from you directly as well. HYAS Infosec Inc. is also the controller of HYAS’ Data (defined in section 5, Source Data: What We Collect and What This Data is Used For, above); for more information concerning what is HYAS’ Data and how it is derived, used and otherwise processed, please read section 5 of this Privacy Statement.
We are a Canadian company, and our registered office is located at 500-3 Fan Tan Alley, Victoria, British Columbia V8W 3G9, Canada.
15. CONTACT INFORMATION & DATA PROTECTION OFFICER
You may contact our DPO via the webform provided under section 13 (Data Subject Access Requests & Other Rights That You May Have), above. Alternatively, you may direct your inquiries, concerns and requests relating to HYAS’ data processing practices or this Privacy Statement to DPO@hyas.com, which email is monitored by our DPO.
Privacy Statement-related communications may additionally be mailed to our registered office (per section 14, above), Attention: Data Protection Officer, or you may call us at the following toll-free number: (877) 572-6446.