CyberRank Privacy Policy

Effective Date: 15 January 2025

1. Introduction

CyberRank ("we," "our," "us") provides automated online services to issue IISRI® external ratings. We are committed to safeguarding your privacy and protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in compliance with the New Zealand Privacy Act 2020, the General Data Protection Regulation (GDPR), and other applicable international privacy laws. By using our website, rating reports, and services, you agree to the practices outlined in this Privacy Policy.

2. Information We Collect

We collect personal data during your interactions with CyberRank, as detailed below:

2.1 Website

• Cookies: We use cookies to enhance your experience, analyze website performance, and ensure compliance with our Terms and Conditions. Cookies store anonymized information and are retained on your device based on your browser settings. You can manage cookie preferences through your browser settings.
• Usage Data: We may collect non-personal information about your use of our website, such as browsing history, IP address, and device information. This data is used for website analytics and to improve user experience.

2.2 CyberRank WebApp

• Personal Information: To register and request rating reports, you must provide your first and last name, email address, and your organization's name. Upon signing up to CyberRank, the domain associated with your email is considered the organization you are a member of.

3. Use of Collected Information

We use your personal data to:

• Providing Services: Deliver requested services such as rating reports, publishing ratings to the IISRI® web directory. We use your email address to provide you with notifications about alerts and events of interest for vendors/organizations which you are monitoring.
• Improving Services: Analyzing website usage data to enhance user experience and improve the functionality of our services.
• Customer Support: Responding to inquiries and providing assistance within a reasonable timeframe.
• Marketing and Communication (with consent): Sending you relevant information about our services, updates, and news (with your prior consent).

4. Disclosure of Information & Data Sharing

We do not disclose your personal information to third parties without your explicit consent, except in the following limited circumstances:

• Legal Requirements: We may disclose your information when required by law, such as to comply with a court order, subpoena, or other legal process. We may also disclose information to protect our legal rights or interests.
• Payment Processors: We may share your data with trusted third-party service providers (Stripe and PayPal) who process data on our behalf. These service providers are contractually obligated to maintain the confidentiality and security of your data.

We only share your data with these third parties for the purposes of providing and improving our services.

5. Data Retention

We retain your personal data for the period necessary to fulfill the purposes outlined in this policy or as required by applicable laws, including the New Zealand Privacy Act 2020 and the GDPR. We have data retention policies in place to ensure that data is deleted securely when it is no longer required (12 months). The retention period for different types of data may vary depending on the specific purpose and legal requirements.

6. Data Security

We employ a range of technical and organizational security measures to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures may include:

• Encryption: We use encryption technologies, such as TLS 1.3 and AES256, SHA512, to protect data during transmission.
• Access Controls: We implement robust access controls, including strong passwords and multi-factor authentication, to restrict access to your data.
• Regular Security Audits: We conduct regular security audits and penetration testing to identify and address potential vulnerabilities.

Important Note: While we strive to ensure the security of your data, no method of transmission or electronic storage is completely immune from security risks.

7. Your Rights

We are committed to protecting your privacy and comply with the GDPR and the New Zealand Privacy Act 2020, which grant you certain rights regarding your personal data:

• Access: You can access your personal information in the CyberRank dashboard or request copies of your personal data that we hold.
• Rectification: You can correct any inaccurate or incomplete data about you in CyberRank or ask us to do it for you.
• Erasure (Right to be Forgotten): You can delete your personal data by closing the CyberRank account or request us to help.
• Restriction of Processing: You have the right to request that we temporarily or permanently stop processing all or some of your personal data. This applies while we verify the accuracy of your data or the legitimacy of our data processing.
• Objection: You can object to our processing of your personal data if we are relying on a legitimate interest (or those of a third party) and there is something about your situation that makes you want to object to processing on this ground. You can also object where we are processing your personal data for direct marketing purposes.
• Data Portability: You have the right to request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.
• Profiling: You have the right to object to any automated decision-making, including profiling, which produces legal effects concerning you or significantly affects you.
• Complaint: You can lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes on data protection laws.
• Withdrawal of Consent: If our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us via our designated contact form or email address provided: DPO@iisri.com.

8. Policy Modifications

CyberRank may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will let you know 30 days in advance by email. We will update the Effective Date at the top of this page. Please review this Privacy Policy periodically to stay informed about how we are protecting your personal data.

9. International Data Transfers

Your data may be transferred to countries outside of New Zealand or the European Union. We will take appropriate safeguards to protect your data in accordance with the relevant data protection laws.

9. Contact us

For any questions, concerns, or requests regarding this Privacy Policy, please contact us through our contact form or email us at DPO@iisri.com. You can contact us by post at 17B Farnham St, 1052 Auckland, New Zealand.