Introduction

Security Risk Pte. Ltd. (Company No. 201720434E) (“Security Risk”, “we”, “our” or “us”) is a company which offers a Software-as-a-Service to companies that intend to manage their security operations on the cloud(“Services”).

We act in accordance with applicable data privacy laws, such as the Personal Data Protection Act 2012 (No. 26 of 2012) of Singapore (“PDPA”), when collecting and using Personal Data that you have provided to us, or which we have obtained from your visits to our websites and/or our mobile applications (“Platform”). Where our processing of your Personal Data is subject to other data protection/privacy laws, such as the European Union General Data
Protection Regulation (Reg. 2016/679) (“GDPR”), we will process your Personal Data in accordance with such laws.

This Privacy Policy (“Policy”) sets out the essential details relating to how we handle your Personal Data, and sets out how we collect your Personal Data, what Personal Data we collect, how we use it, and what rights you have in relation to our processing of your Personal Data.

For the purposes of this Policy, “Personal Data” refers to data, whether true or not, about an individual who can be identified (a) from that data; or (b) from that data and other information to which we have or is likely to have access; or any other definition of “Personal Data” under applicable law.

The words “we”, “us”, “our” or any of their derivatives refer to Security Risk and its successors and any novatee, assignee, transferee or purchaser of Security Risk’s rights and/or obligations hereunder and any reference to Security Risk includes a reference to such successor, novatee, assignee, transferee or purchaser. The words “you”, “your”, “yours” or any of their derivatives refer to the person using our Services, operating any account maintained with us, accessing our Platform, or otherwise providing information to or communicating with us and shall include, as the context may require, personal representatives (as the case may be).

How we collect Personal Data

Depending on the nature of your interaction with us, we use different methods to collect Personal Data from and about you, including without limitation, through:

(a) Direct Interactions
We may collect your Personal Data when you engage us for any of our Services, whether in writing, orally or through our Platform. We may also collect Personal Data to comply with any Services that you request for, to correspond with you and/or where you submit your Personal Data to us for any other reason (whether voluntary or otherwise).

(b) Automated Interactions
We may automatically collect your Personal Data when you interact with us (e.g. via the use of our Platform or through electronic communications). For more information on cookies, please refer to Section H below.

(c) Third Parties
We may collect your Personal Data from third parties (e.g. your employer while setting up a sentry or responder account for you or regulatory authorities for the purpose of verifying your license to provide security services) for the purposes of providing our Services, including Personal Data in publicly available sources.

Where your Personal Data is collected from third parties, we will only use such Personal Data where you have provided your consent to the third party which would also cover our processing of your Personal Data or where otherwise permitted to do so by applicable law.

If you are submitting Personal Data of another individual to us, you confirm that such Personal Data is true and correct. You further confirm that you will not provide us with any Personal Data unless you have ensured that you have obtained all necessary consents and/or have provided any required notices to the individuals. Alternatively, you may provide Personal Data to us if you have another legal justification to provide such information to us so that we can use it for the purposes and on the bases set out in this Policy.

What Personal Data we collect

The type and quantity of Personal Data we collect and how we use it depends on the purpose for which you provided such Personal Data. We will seek to minimize our collection to what is necessary for each relevant function or service.

We may collect the following kinds of Personal Data about you when you engage us for our Services or use our Platform:

(a) Personal contact data including name, telephone number, email address, residential
address and correspondence address.
(b) Location data.
(c) Identification information (including photographs).
(d) Business or employment information such as occupation and education.
(e) Personal opinions made known to us (e.g. your feedback).
(f) Information relating to the usage of our Services and/or Platform (e.g. browsing history).
(g) Other information you may choose to provide us. For example, incident reports, images and recordings.
(h) Any other personal data reasonably required in order for us to provide the Services to you or for you to use our Platform.(i) Any other personal data permitted by or required to comply with any applicable local or foreign laws. These laws include regulations, notices, notifications, rules, circulars, licence conditions, directions, requests, requirements, guidelines, directives, codes, information papers, practice notes, demands, guidance and/or decisions of any national, state or local government, any agency, exchange, regulatory or self-regulatory body, law enforcement body, court, central bank or tax revenue authority or any other authority whether in Singapore or elsewhere, whether having the force of law or not (including any intergovernmental agreement
between the governments or regulatory authorities of two or more jurisdictions or otherwise), as may be amended from time to time.

How do we use your Personal Data

We generally use and process your Personal Data for the purposes below or if we are otherwise legally permitted to do so

Providing services and features

Your Personal Data may be used to provide, personalise, maintain and improve our Services. This includes using your Personal Data to:

(a) Provide you with Services as requested by you.
(b) Create, administer and update your account on our Platform.
(c) Verify your identity.
(d) Enable features that personalise your experience on our Platform, such as your location.
(e) Track the progress of your assignment.
(f) Perform internal operations necessary to provide our Services, including troubleshooting software bugs and operational problems conducting data analysis,
monitoring and analysing usage and activity trends.
(g) To assess and comply with any requests or instructions from you.

Safety and security

Your Personal Data may be used to ensure the safety and security of our Services and all users. This includes using your Personal Data to:

(a) Prevent, detect and combat unsafe activities.
(b) Sharing location and details when you embark on your assignment.
(c) Monitoring compliance with our internal policies and procedures.
(d) Detecting and preventing crime.

User support

Your Personal Data may be used to resolve user support issues:

(a) Investigate and address concerns.
(b) Monitor and improve user support responses.
(c) Respond to questions, comments and feedback.
(d) Inform you about steps taken to resolve user support issues.

Research and development and security

Your Personal Data may be used for research, analysis and development of our Services and Platform. This allows us to, amongst others, understand and analyse your needs and preferences, protect your Personal Data, improve and enhance the safety and security of our Services and Platform.

Legal purposes

Your Personal Data may be used to investigate and resolve claims or disputes, or as allowed or required by applicable law. Your Personal Data may be used when we are required, advised, recommended, expected or requested to do so by our legal advisors or any local or foreign legal, regulatory, governmental or other authority.

Marketing and promotions

Your Personal Data may be used for us to communicate marketing materials to you by email, push notification, telephone calls, short message services.

Mergers and acquisitions

Your Personal Data may be used in connection with mergers, acquisitions, joint ventures, sale of company assets, consolidation, restructuring, financing, business asset transactions, or acquisition of all or part of our business by another company.

We will generally seek consent to process your Personal Data, unless we are permitted to do so without consent in accordance with applicable law.

In addition, to the extent that GDPR applies, your Personal Data may be processed in accordance with one or more of the following bases:

(a) It is necessary for the performance of a contract with you.
(b) It is necessary for compliance with a legal obligation.
(c) It is necessary to protect your vital interests or the vital interests of another person.
(d) It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
(e) It is necessary for our legitimate interest (or those of a third party), except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Please note that if you choose not to provide us with your Personal Data or choose not to consent to our processing of your Personal Data, we may not be able to provide some or all of our Services to you or make available our Platform to you.

If we intend to process your Personal Data for a purpose other than that for which the Personal Data was collected, we will provide you, prior to the further processing, with information on that other purpose.

Disclosing your Personal Data

We may disclose your Personal Data to third parties from time to time, but will only transfer such Personal Data in circumstances where we are satisfied that it will be subject to an appropriate level of protection and in accordance with any safeguards that may be legally required. Some of these parties may include:

(a) Third party service providers (e.g. IT services, data analytics services).
(b) Other users of the Platform (e.g. If you require security services, we will share the Personal Data of the personnel providing security services to you. If you provide security services, we will share your Personal Data with persons requesting for security services).
(c) Our affiliates or partners.
(d) Our professional advisers, consultants and auditors.
(e) Regulatory or supervisory authorities

Security and Retention

Security

As part of our commitment to protecting your privacy, we implement appropriate technical and organisational measures to protect your Personal Data against accidental, unauthorized or unlawful use, disclosure, access, destruction, loss, change or damage.

Nevertheless, do note that while we will endeavor to take all reasonable measures to protect your Personal Data, you should similarly take all necessary precautions, such as implementing strong passwords and limiting access to your device which you use to access our Platform.

Retention

We keep your Personal Data only for as long as necessary to provide you with the Services and to operate our Platform, to fulfil our processing purposes, in accordance with our legal obligations and for legitimate business purposes. Please refer to our Data Retention Policy
for further information.

The retention period for your Personal Data may vary based on the specific circumstances. Nevertheless, in determining the appropriate period to lawfully retain your Personal Data, we will consider inter alia, the:

(a) Amount, nature and sensitivity of Personal Data.
(b) Purposes for which Personal Data is retained.
(c) Appropriate security measures and, if any, relevant technical constraints.
(d) Applicable legal requirements

If you request that we stop sending you marketing materials, we may keep a record of your contact details and appropriate information to enable us to comply with your request not to be contacted by us. In such instances, we will endeavor to retain only minimal Personal Data
to effect the above.

Nonetheless, if you withdraw your consent (where we rely on consent as our legal basis) or object to our processing of your Personal Data, you may at any time request that we erase or delete your Personal Data. Upon receipt of such request, we shall, within a reasonable time, delete or anonymise your Personal Data unless we are legally permitted or required to retain such Personal Data (e.g. ongoing dispute, tax obligations, accounting purposes, compliance
with any legal obligations).

Transfer to other countries

In the provision of our Services and the operation of our Platform, the Personal Data we collect may be transferred to and processed by third parties in other countries. In all such instances, Security Risk shall ensure that the transfer of your Personal Data is carried out in accordance with any applicable laws and that appropriate safeguards (e.g. contractual, technical and organisational measures) are put in place before such transfer takes place.

Cookies

Our Platform uses cookies in order to facilitate your experience when browsing our Platform.

For the purposes of this Policy, a “cookie” is a small piece of information sent by a web server to the Platform, which enables the server to collect information from the Platform.

Security Risk uses cookies which are necessary for the functioning and operation of the Platform. We may also use cookies that allow us to track, record and analyse data in relation to the activity on our Platform (e.g. site traffic and volume, site usage statistics, operating system, referral source or device information), or recognize you whenever you return to our Platform for us to customize your browsing experience based on your preferences.

Please note that if you choose not to receive cookies, you may not be able to properly utilize the full functionalities of the Platform.

We may display advertisements from third parties or provide links to third party websites on our Platform. In these instances, Security Risk cannot be held responsible or liable for the privacy practices and policies of the third party. As such, please read the privacy policies of such third parties to find out how they process and collect your Personal Data when visiting these third party web sites.

How to Access and Control your Personal Data

Individuals are given rights in relation to their Personal Data pursuant to the applicable law.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.

For security reasons, in relation to certain rights, we may request for information to verify your identity before processing your request.

In general, the rights afforded to individuals are:

(a) Right to Access
The right to be informed of and request access to the Personal Data that we process about you. This will enable you to check what Personal Data we are processing and whether the processing is lawful.

We will respond to your access request as soon as reasonably possible. Should we not be able to respond to your access request within 30 days after receiving your access request, we will inform you in writing via email within 30 days of the time by which we will be able to respond to your request.

(b) Right of Correction/Rectification
The right to request that we amend or update your Personal Data where it is inaccurate or incomplete. While we shall make a reasonable effort to ensure that
the Personal Data we collect is accurate and complete, you are responsible for ensuring the accuracy of the Personal Data that you provide to us directly.

We will respond to your correction request as soon as reasonably possible. Should we not be able to perform the correction request within 30 days after receiving your request, we will inform you in writing via email on the time by which we will be able to perform your correction request.

(c) Right to Withdraw Consent
The right to withdraw your consent at any time, where consent is the legal basis of the processing of your Personal Data. Depending on the nature and scope of your request, we may not be in a position to continue performing our obligations in the course of providing our Services to you.

You may also have one or more of the following rights as available and subject to applicable laws such as the GDPR:

(a) Right to Erasure
The right to request that we erase Personal Data concerning you without undue delay.

(b) Right to Restriction of Processing
The right to request that we restrict the processing of your Personal Data in certain circumstances such as where the accuracy of your personal data is consented to enable us to verify the accuracy of your Personal Data.

(c) Right to Object
The right to object to your Personal Data being processed by us for direct marketing purposes, or to, at any time, object to us processing your Personal Data on grounds relating to your particular situation.

(d) Right to Data Portability
The right to request a copy of your Personal Data in electronic format and the right to transmit that Personal Data for use in another party’s service.

(e) Right not to be subject to Automated Decision-making
The right to not be subject to a decision based solely on automated decision-making where the decision would have a legal effect on you or produce a similarly significant effect.

If we send you electronic marketing messages based on your consent or as otherwise permitted by applicable law, you may, at any time, respectively withdraw such consent or declare your objection at no cost. The electronic marketing messages you receive from Security Risk will also include an “unsubscribe” option within the message itself to enable you to manage your Personal Data. Please note that if you opt-out of receiving direct marketing materials, we may still send you non-promotional messages, such as information about the Services we are providing to you.

To the extent permitted by applicable law, we may not accede to your request. If we are unable to accede to any request submitted by you, we shall inform you of the reasons why we are unable to do so.

Additionally, you have the right at any time to lodge a complaint with the relevant Data Protection Authority if you are unhappy with the way in which we are using your Personal Data.

In order to enable you to exercise these rights with ease and to record your preferences in relation to how Security Risk uses your Personal Data, you may manage your privacy preferences at any time via the Platform or by contacting our Data Protection Officer at ian.stewart@securityrisk.com .

Changes to this Policy

We may amend the terms of this Policy from time to time (e.g. to respond to changes in any applicable law). Where the terms of this Policy change, we will notify you of any changes, including by displaying the notice within our Platform or by sending you an email. Additionally, you may also wish to refer to the “updated” date at the start of this Policy. If you continue to use our Services, operate any account maintained with us, access our Platform, and/or otherwise provide information to or communicate with us, you consent to our updates to this Policy without reservation.

Contact Us

If you have any questions about your privacy, your privacy rights, or how to exercise them, please feel free to contact our Data Protection Officer at ian.stewart@securityrisk.com.

We will respond to your request within a reasonable period of time upon verification of your identity (if applicable).