Invicti Security Privacy Policy

Last updated as of August 11, 2020.

Thank you for visiting the Invicti Security websites (“Sites”).  Invicti Security develops web application security solutions. When individuals visit our Sites, want to hear more about or try our solutions, or purchase our solutions, we collect and process personal information. This Privacy Policy and our Cookie Policy govern how Invicti Security collects, uses, stores, and discloses personal information that we obtain through or from:

  • Individuals who visit, access, download, or use the Sites;
  • Individuals who contact us via our contact form on the Sites (i.e., potential customers);
  • Individuals who purchase our solutions and register for our products and services (“Services”).

Our Sites and Services are collectively referred to as the “Platform” throughout this Privacy Policy.

This Privacy Policy covers our Platform and any other websites, products, software, applications, content, data feeds, and other services owned and operated by Invicti Security on which authorized links to this Privacy Policy or to any affiliated Cookie Policy are posted.

If you have any questions, comments, or concerns regarding this Privacy Policy, our Cookie Policy, and/or our data practices, or if would like to exercise your rights, do not hesitate to contact us.

1.  Who We Are / Data Controller.  If you use our Platform, except as may be stated in this Privacy Policy, the data controller of your information is Invicti Security Ltd. or one of its affiliated companies or subsidiaries (“Invicti Security”, “we”, “us”).

2.  Children’s Privacy.  Our Platform is not intended for use by individuals under the age of 18, and Invicti Security does not target the Platform to minors.  Invicti Security does not knowingly collect personal information from children under the age of 18.

If you are under the age of 18, please do not provide us with any personally identifiable information.

3.  Personal Information We Collect and How It Is Collected“Personal data” – or “personal information” as also used throughout this Privacy Policy – means any information about an individual from which that person may be identified. For example, it may include your name, telephone number, email address, payment information, IP address, device ID, and location information. It does not include data from which the identity of an individual has been definitively removed along with any identifiers connected to such individual.

What personal information we collect and process depends on how and why you use our Platform. Generally, we process personal information that we receive:

  • Directly from you when you provide it to us, such as when you request more information about or purchase our Services; and
  • Indirectly, through automated technologies, such as cookies, or from third parties.

This is all explained in more detail below.

3.1  Information Collected Directly.  What personal information we collect from you directly will depend on how you use our Platform. You can generally visit our Sites without submitting any personal information to us, but you may be asked for information if you would like to hear more about, or sign up for, our Services.

3.1.1  Inquiry/ Demo Information.  To find out more about our Services, or to try them out, we request certain personal information from you:

  • First and last name;
  • Company name;
  • Work email; and
  • Telephone number.

3.1.2  Account Registration Information.  To sign up to use our Services, we collect:

  • First and last name;
  • Company name;
  • Company website;
  • Company email;
  • Telephone number; and

3.1.3  Payment Information.  If you wish to use our Services, we will process your payment information in order to get you started.  Payment processing is performed by third-party service providers as explained further below.  Invicti Security only receives confirmation of your payment once it goes through, and such confirmation is then linked to your transactions and other personal information.

3.1.4  Communication Information.  When you contact us via email or otherwise, we also collect and process any additional information you provide which may include personal information that you voluntarily submit to us in those emails, contact forms, or other communications.

3.2  Information Collected Indirectly.

3.2.1  Device and Usage Information.  When you download, use, or interact with the Platform, even if you do not have an account, we – or authorized third parties engaged by us – may automatically collect information about your use of the Platform via your device, some of which is considered personal information.  “Device and Usage Information” that we collect consists of:

  • Device Information: information about the devices and software you use to access the Platform – primarily the internet browser that you use, the website or source that linked or referred you to the Platform, your IP address or device ID (or other persistent identifier that uniquely identifies your computer or mobile device on the Internet), the operating system of your computer or mobile device, device screen size, and other similar technical information.
  • Usage Information: information about your interactions with the Platform, including access dates and times, hardware and software information, device event information, crash data, cookie data, aggregated scan data or vulnerability data, and feature usage data. This information allows us to understand the screens that you view, how you’ve used the Platform (which may include administrative and support communications with us), and other actions you’ve taken on the Platform. We, or our authorized third parties, automatically collect log data when you access and use the Platform, even if you have not created an account or logged in.  We use this information to administer and improve the Platform, analyze trends, track users’ use of the Platform, and gather broad demographic information for aggregate use.

3.2.2  Cookies and Similar Technologies.  Invicti Security or its authorized third parties use cookies and similar technologies to collect the information described above.  Some cookies are necessary to make the Sites and our content available to you, while others, such as those used by Google Analytics, enable us to analyze and measure audience and traffic to the Sites.  Cookies are also used by us, advertisers (or ad-tech providers), and social media companies to develop and serve ads that are more relevant to your interests or to generally help us increase the number of customers who use our Services.

3.2.3  Information from Third Parties.  In some instances, we process personal information from third parties which may consist of data from our partners such as transactional data from providers of payment services or information from our lead generation partners.

3.3  Analytics/Aggregated Information.  With the Device and Usage Information collected by our third-party analytics services, such as Google Analytics or Pendo, we generate and process aggregated information, such as statistical or demographic data.  Aggregated Information may be derived from personal data, but it is not considered personal data if it does not directly or indirectly reveal your identity.  For example, we may track the total number of visitors to our Platform or the number of visitors to each part of our Platform, and we may aggregate usage data to calculate the percentage of users accessing a specific feature of the Platform and analyze this data for trends and statistics.

However, if we or our third-party analytics service providers combine or connect aggregated information with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be processed in accordance with this Privacy Policy.  Please note that you may opt-out of certain data collection practices covered in this Section by removing or rejecting cookies in your browser’s settings or by contacting us.

4.  Why We Collect Your Personal Information and How We Use It.  Our mission is to provide a safe, efficient, and high-quality Platform, and we – or our authorized third-party service providers who assist us in providing the Platform – process your personal information for this purpose.  Specifically, personal information is processed in order to:

  • Provide you with access to and the ability to use the Platform;
  • Process and complete transactions and send you related information, including purchase confirmations and invoices;
  • Respond to your queries and requests or otherwise communicate directly with you;
  • Improve the content and general administration of the Platform and enhance user experience;
  • Provide customer support;
  • Detect fraud, illegal activities, or security breaches;
  • Provide you with notices regarding purchases or other important information;
  • Ensure compliance with applicable laws;
  • Perform system maintenance and upgrades and enable new features;
  • Conduct statistical analyses and analytics;
  • Increase the number of customers who use our Platform through advertising and marketing;
  • To send you marketing communications if you have opted in to receive them (depending on your location); and
  • Provide information to regulatory bodies when legally required and only as outlined in this Privacy Policy.

5.  Managing Your Preferences. If your personal data changes, or if you no longer desire to use our Services, you may delete your account or contact us.  We will respond to your request within a reasonable timeframe.

6.  Disclosure of Your Personal InformationWe only disclose your personal information as described below.

6.1  Third-Party Service Providers.  Invicti Security discloses users’ information to our third-party agents, contractors, or service providers who are hired to perform services on our behalf.  These companies do things to help us provide the Platform and – in some cases – collect information directly.  Below is an illustrative list of functions for which we may use third-party service providers:

  • Hosting and content delivery network services;
  • Analytics services;
  • CRM providers;
  • Lead generation partners;
  • Marketing and social media partners;
  • Customer support services;
  • Payment processors;
  • Functionality and debugging services; and
  • Professional service providers, such as auditors, lawyers, consultants, accountants, and insurers.

6.2  Business Transfers.  As we continue to grow, we may purchase websites, applications, subsidiaries, and other businesses or business units. Alternatively, we may sell businesses or business units, merge with other entities, and/or sell assets or stock, in some cases as part of a reorganization or liquidation in bankruptcy. As part of these transactions, we may transfer your personal information to a successor entity upon a merger, consolidation, or other corporate reorganization in which Invicti Security participates, or to a purchaser or acquirer of all or a portion of Invicti Security’s assets, bankruptcy included.

6.3  Anonymized Information.  We share aggregated, automatically-collected, or otherwise non-personal information with third parties for various purposes, including: (i) compliance with reporting obligations; (ii) for business or marketing purposes; (iii) to assist us and other parties in understanding our users’ interests, habits, and usage patterns for certain programs, content, services, marketing, and/or functionality available through the Platform.  We do not share personal information about you in these cases.

6.4  Legal Obligations and Security.  In addition, Invicti Security will preserve or disclose your personal information in limited circumstances (other than as set forth in this Privacy Policy), including: (i) with your consent; (ii) when we have a good faith belief it is required by law, such as pursuant to a subpoena, warrant, or other judicial or administrative order (as further explained below); (iii) to protect the safety of any person, to protect the safety or security of our Platform or to prevent spam, abuse, or to protect against any other malicious activity of actors with respect to the Platform; or (iv) to protect our rights or property or the rights or property of those who use the Platform.

If we are required to disclose personal information by law, such as pursuant to a subpoena, warrant, or other judicial or administrative order, our policy is to respond to requests that are properly issued by law enforcement within the United States or via mutual legal assistance mechanism (such as a treaty).  Under such circumstances, we may at our discretion attempt to provide you with prior notice that a request for your information has been made in order to give you an opportunity to object to the disclosure.  However, government requests may include a court-granted non-disclosure order which prohibits us from giving notice to the affected individual.

Note that if we receive information that provides us with a good faith belief that there is an exigent emergency involving the danger of death or serious physical injury to a person then we may provide information to law enforcement trying to prevent or mitigate the danger as determined on a case-by-case basis.

7.  Payment ProcessingWe do not directly collect your payment information, and we do not store your payment information.  We use third-party, PCI-compliant payment processors that collect payment information on our behalf in order to complete transactions.  While our administrators are able to view and track actual transactions via customer portals, we do not have access to or process your credit card information.

8.  Retention Period.

8.1  General.  We use the following criteria to determine our retention periods: the amount, nature, and sensitivity of your information; the reasons for which we collect and process your personal data; the length of time we have an ongoing relationship with you and provide you with access to our Services; and applicable legal requirements.  We will retain personal information we collect from you where we have an ongoing legitimate business need to do so (for example, to comply with applicable legal, tax, or accounting requirements).  Additionally, we cannot delete information when it is needed for the establishment, exercise, or defense of legal claims (also known as a “litigation hold”).  In this case, the information must be retained as long as needed for exercising respective potential legal claims.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or – if this is not possible (for example, because your personal information has been stored in backup archives) – we will securely store your personal information and isolate it from any further processing until deletion is possible.

If you have questions about, or need further information concerning, our data retention periods, please contact us.

8.2  Time Frame of Deletion.  If personal data can no longer be retained or is no longer necessary, it will be erased or anonymized in the time frame required by applicable law.

8.3  Anonymization.  In some instances, we may choose to anonymize your personal data instead of deleting it, for statistical use, for instance.  When we choose to anonymize your personal data, we make sure that there is no way that the personal data can be linked back to you or any specific user.

9.  Protecting Your Personal Data.  No method of transmission over the Internet, or method of electronic storage, is 100% secure.  However, we take steps that are reasonably necessary to securely provide our Platform.  We have put in place reasonably appropriate security measures designed to prevent your personal data from being accidentally lost, used, or accessed in an unauthorized way, altered, or disclosed.  We limit access to personal data only to those employees, agents, contractors, and third parties who have a business need-to-know.

We also have procedures in place to deal with any suspected data security breach.  If required, we will notify you and any applicable regulator of a suspected data security breach.  We also require those parties to whom we transfer your personal information to provide acceptable standards of security.

  1. International Transfers. We have locations outside of the EU, and the personal information that we collect may be stored on servers located in the United States or in any other country in which Invicti Security, its affiliates, partners, service providers, or agents maintain facilities.  This means that your personal information may be collected, processed, and stored in such locations which may have data protection laws that are different from (and sometimes less protective than) the laws of your country or region, such as the General Data Protection Regulation (“GDPR”).

By sending us personal information, you agree and consent to the processing of your personal information outside of the EU in locations such as the United States which may not offer an equivalent level of protection to that required in other countries (particularly the EU) and to the processing of that information by us on servers located outside of the EU, as described in this Privacy Policy.

We have implemented safeguards designed to ensure that the personal information we process remains protected in accordance with this Privacy Policy including when processed internationally or by our third-party service providers and partners.  The safeguards we may take in our discretion include, for instance, entering into binding agreements in connection with any onward transfers of personal information.  We may implement other mechanisms and take similar appropriate safeguards with our third-party service providers and partners.  Further details can be provided upon request.

11.  Changes to this Privacy Policy.  Invicti Security may update this Privacy Policy from time to time, at its sole discretion.  If we make material changes, we will post an updated Privacy Policy within the Platform along with a change notice.  Changes, modifications, additions, or deletions will be effective immediately on their posting to the Platform.  If we make significant changes, we may also send registered users a notice that this Privacy Policy has been changed.  We encourage you to review this Privacy Policy regularly for any changes.  Your continued use of the Platform and/or your continued provision of personal information to us after the posting of such notice will be subject to the terms of the then-current Privacy Policy.  If you continue to use the Platform, you will be deemed to have accepted the change.

12.  How To Contact Us About Privacy.  If you have any questions regarding this Privacy Policy, please contact us or at the address below:

Invicti Security
220 Industrial Blvd., Suite 102
Austin, TX 78745

13.  Additional Information for Users in California.  Invicti Security provides the Platform to other businesses, and in doing so we may collect and process personal data on behalf of our business customers, including personal data about California residents.  In doing so, Invicti Security is a service provider under the CCPA.  As a service provider, we will collect and process personal data on behalf of a customer to provide the Platform for which that customer has engaged us, in accordance with our contract with such customer.  If you’d like to exercise your rights under the CCPA with respect to your personal data we hold as a service provider for a customer, you should contact that customer directly.

If you have a question or would like to submit a request related to the personal data we collect related to our business-to-business relationship with you or your company, please contact us.

14.  Additional Information for Users in the European Economic Area.  This Section applies to individuals located in the EEA.

14.1  Categories of Recipients of Personal Data.  The categories of recipients of personal data with whom we may share your personal data are listed in the “Disclosure of Your Personal Information” section above.

14.2  Legal Bases and Purposes of Processing.  Invicti Security uses your personal information for a number of different purposes as described in this Privacy Policy.  Some uses are essential for us to provide the Platform or to fulfill our legal obligations, some uses help us run the Platform efficiently and effectively, and some uses enable us to improve our Platform with more relevant and personalized offers and information.  In all cases, under GDPR, we must have a reason and a legal ground for processing your personal information.  Some of the most common legal grounds we rely on are briefly explained below.

14.2.1  Performance of a Contract.  We may process your personal data for the purposes of a contract to which you are a party.  For instance, if you want to use our Platform, we need to process your account registration information, location information, and payment information in order to enable you to do so.

14.2.2  Legitimate Interests.  We may process personal data where it is necessary for our legitimate business interests, but only to the extent that they are not outweighed by your own interests or fundamental rights and freedoms.  We generally rely on legitimate interests to: provide and maintain a Platform that works well and securely; comply with applicable laws; carry out fraud prevention; and generally improve the Platform.  When we rely on this legal basis, we’ll carry out a legitimate interest assessment to ensure we consider and balance any potential impact on you (both positive and negative) and your rights under applicable data protection laws.

14.2.3  Consent.  Invicti Security may rely on consent where it is required, such as with respect to certain information collected via cookies and similar technologies (other than strictly necessary cookies) or when we’re asking you to confirm your marketing preferences.  When we rely on consent, you’ll be asked to confirm that you give your permission to Invicti Security to process your personal information.  You have the right to withdraw your consent at any time if you no longer wish to have Invicti Security process your personal data.

14.2.4  Legal Obligation.  Invicti Security will on occasion be under a legal obligation to obtain and disclose your personal data.  Where possible, we will notify you when processing your data due to a legal obligation, but this may not always be possible.  For instance, Invicti Security may need to provide your data in order to prevent criminal activity or to help to detect criminal activity, in which case we may share information with law enforcement without providing notice to you.  This is done in a safe and secure manner.  It’s essential that Invicti Security complies with its legal, regulatory, and contractual requirements, so if you object to this processing then Invicti Security will not be able to provide its Platform to you.

14.3  Your Rights and Choices Under GDPR.  If the GDPR applies to you because you are in the EEA, you have the following rights in relation to your personal data:

  • The right to be informed – our obligation to inform you that we process your personal data (and that’s what we’re doing in this Privacy Policy);
  • The right of access – your right to request a copy of the personal data we hold about you (also known as a ‘data subject access request’);
  • The right to rectification – your right to request that we correct personal data about you if it is incomplete or inaccurate (though we generally recommend first making any changes in your Account Settings);
  • The right to erasure (also known as the ‘right to be forgotten’) – under certain circumstances, you may ask us to delete the personal data we have about you (unless it remains necessary for us to continue processing your personal data for a legitimate business need or to comply with a legal obligation as permitted under the GDPR, in which case we will inform you);
  • The right to restrict processing – your right, under certain circumstances, to ask us to suspend our processing of your personal data;
  • The right to data portability – your right to ask us for a copy of your personal data in a common format (for example, a .csv file);
  • The right to object – your right to object to us processing your personal data (for example, if you object to us processing your data for direct marketing); and
  • Rights in relation to automated decision-making and profiling – our obligation to be transparent about any profiling we do, or any automated decision-making.

These rights are subject to certain rules around when you can exercise them. If are located in the EEA and wish to exercise any of the rights set out above, please contact us here or at the addresses provided below.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights) unless your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request under those circumstances.

We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

If we cannot reasonably verify your identity, we will not be able to comply with your request(s).

We will respond to all legitimate requests within one month.  Occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests.  In this case, we will notify you and keep you updated as required by law.

In addition, if you no longer wish to receive our marketing/promotional information, we remind you that you may withdraw your consent to direct marketing at any time directly from the unsubscribe link included in each electronic marketing message we send to you.  If you do so, we will promptly update our databases, and will take all reasonable steps to meet your request at the earliest possible opportunity, but we may continue to contact you to the extent necessary for the purposes of providing our Platform.

Finally, you have the right to make a complaint at any time to the supervisory authority for data protection issues in your country of residence. We would, however, appreciate the chance to address your concerns before you approach the supervisory authority, so please contact us directly first.

If you are a user in the EEA, you may also contact our representative in the European Union:

Attn: Data Protection Officer
2nd Floor, Mirabilis Bldg.
TRIQ I-Intornjatur Mriehel
Malta BKR 3000

Cc:  220 Industrial Blvd., Suite 102
Austin, TX 78745