Privacy Policy for IISRI®

Effective Date: 24 August 2024

1. Introduction

IISRI® ("we", "our", "us") provides security and privacy services and reports to our customers. We are committed to safeguarding your privacy and protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal information, and outlines your rights under the General Data Protection Regulation (GDPR). By using our website, rating reports, and other services, you consent to the practices described in this Privacy Policy.

2. Information We Collect

We collect personal data through various interactions with IISRI® as detailed below.

2.1 Website

• Cookies: We use cookies to improve your experience on our site and to comply with our Terms and Conditions. Cookies may be used to store anonymized information with a 12-month retention period. You can manage your cookie preferences through your browser settings.

2.2 Requesting Rating Reports

• Personal Information: To receive rating reports, we collect your first and last name, email address, and optionally, your organization name. This data is retained for 12 months or until the rating expires, after which it is automatically deleted.

2.3 External Assessment

• Public Information: External assessments and ratings are based on publicly available information, which is mirrored, timestamped, encrypted, and stored securely. This information is not considered personal data.

2.4 Internal Assessment

• Sensitive Information: For internal assessments (including audits) and ratings, you may provide sensitive or confidential information. This data is transmitted over encrypted channels and is accessible only to the IISRI® team. All data used during and after assessments is encrypted, except for published ratings and reports available on our website.

3. Use of Collected Information

We use your personal data to:

• Provide Services: Deliver requested services, such as rating reports and internal assessments (including audits).
• Customer Support: Manage and respond to your inquiries and support requests.
• Retention: Retain information for 12 months or until the rating expires for service continuity.

3.1 Report Purchase

• Watermark and Recovery: Personal data provided during report purchase is used to create a unique watermark and to assist in recovering lost reports.

3.2 Internal Assessments

• Assessment Reports: Data provided for internal assessments (including audits) is used exclusively for assessment purposes and will not be disclosed to third parties without explicit consent from the assessed organization.

3.3 Payment

• Payment Processing: We do not process or store card data. Our PCI DSS compliant payment provider handles financial transactions and adheres to their privacy policy. We share information with them only as necessary for payment processing.

4. Disclosure of Information

We do not disclose personal information to third parties without your explicit consent, except:

• Legal Requirements: If required by law or to protect our legal rights.
• Third-Party Requests: For ratings, reports, and certifications, we may disclose information based on public records or with explicit consent from the assessed organization.

5. Data Retention

We retain your personal data only for the duration necessary to fulfil the purposes outlined in this policy or as required by law. Data is securely deleted once it is no longer needed.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. However, no method of transmission over the internet or electronic storage is 100% secure, so we cannot guarantee absolute security. Information sent to us via email is considered unencrypted and is not covered by this policy unless agreed otherwise before engagement.

7. Your Rights Under GDPR

Under GDPR, you have the following rights:

• Access: Request access to your personal data.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data, subject to certain conditions.
• Restriction: Request restriction of processing your data.
• Objection: Object to data processing based on legitimate interests.
• Portability: Request data transfer in a structured, commonly used format.
• Profiling: Object to automated profiling.
• Complaint: Lodge a complaint with a data protection supervisory authority.
• Withdrawal of Consent: Withdraw consent where processing is based on consent.

To exercise your rights, contact us via our contact form. We may request additional information to verify your identity. We may charge a fee for excessive or unfounded requests.

8. Policy Modifications

We may update this Privacy Policy from time to time. Any changes will be posted on this page with the updated effective date. We encourage you to review this policy periodically to stay informed about how we are protecting your information.

9. Questions and Requests

For any questions or to request data removal, please use the contact form on our website with subject “privacy policy” to contact our designated Data Protection Officer. We are committed to addressing your concerns and assisting with your requests.