Last Update: July 9, 2020
At IronNet, trust is a core value. This IronNet Privacy Statement (“Privacy Statement”) describes our privacy practices, specifically how we collect, use, share, and otherwise process information relating to individuals (“Personal Data”). Please read this Privacy Statement carefully to learn about your rights and choices regarding our processing of your Personal Data.
Any reference to “IronNet,” “we,” “us,” or the “Company” is a reference to IronNet Cybersecurity, Inc. and to its subsidiary High Degree LLC.
IronNet provides a variety of products and services that help our customers protect against cybersecurity attacks and that help detect online advertising fraud. These include:
- IronDefense and IronDome – IronNet flagship advanced security threat detection services (“Security Services”)
- IronNet Digital Detect – sophisticated invalid digital advertisement traffic detection service. Provided by High Degree LLC
- IronNet Digital Verify – Analysis of an Instagram influencer’s audience, distinguishing authentic followers and activity from bot activity. Provided by High Degree LLC
This Privacy Statement is not applicable to personal data of IronNet’s employees and contractors (“HR Personal Data”). HR Personal Data is handled pursuant to internal IronNet policies and procedures, in compliance with applicable law.
1.0 Processing Activities Covered
This Privacy Statement applies to the processing of Personal Data collected by us:
- In connection with the provision of our products and services to customers, including our Security Services, IronNet Digital Detect, and IronNet Digital Verify (collectively, “Services”)
- When you visit our public websites that display or link to this Privacy Statement (“Public Websites”)
- When you visit our branded social media pages
- When you visit our offices
- When you receive communications from us, including emails, phone calls, text messages, or faxes
Our Public Websites may contain links to other websites, applications, and services maintained by third parties. The information practices of such other services, or of social media networks that host our branded social media pages, are governed by those third parties’ privacy statements, which we encourage you to review to better understand those third parties’ privacy practices.
2.0 Responsible IronNet Entity
IronNet is the processor of Personal Data that is provided to or obtained by IronNet as part of its Services for its customers that are businesses or other entities. Otherwise, IronNet is the controller of your Personal Data as described in this Privacy Statement, unless expressly specified otherwise.
3.0 What Personal Data Do We Collect?
3.1 Personal Data We Collect Through Our Services
- IronNet may elect to run mass marketing free trial campaigns of our Security Services where users and company information may be collected. Customers who sign up for and are qualified to participate in the free trial must forward information for analysis by our Security Services. This service is free and voluntary. IronNet does not commit to remediate nor to mitigate any found threats/exploits in customers’ logs.
- IronNet Digital Detect tracks advertisement fraud for selected and qualified customers. This entails the use of data collection sensors, embedded in web sites and/or online advertisements, to track and submit to IronNet’s back-end analytics solutions the behavior of users who are presented with, click (or purport to click), or otherwise interact with pages containing online advertisements. Only suspicious behaviors are submitted to IronNet customers. Users’ cookies, browser information, document referral URL, source IP address, geolocation, and other metrics may be collected and reported if the behavior correlates with fraud behaviors. This information will be kept only for as long as required to fulfill the purposes for which they were collected. IronNet Digital Detect utilizes first-party cookies set in the web browser under the domain name associated with the website (Publisher).
- IronNet Digital Verify analyzes the reliability of social media account followers. You will provide your social media account identifiers and your follower information for our social media account verification and scoring service. This entails reviewing and submitting follower behavior to IronNet’s back-end analytics solutions. This information will be kept only for as long as required to fulfill the purposes for which they were collected.
- If you register or otherwise agree to use any of our Services, then you may be required to provide your name, organization name, email address, and other information as relevant to such product or service. You may also be required to provide credit card and other payment information for use with our Services.
- When you request support from IronNet about one of our Services, IronNet may allow you to create a support ticket from our IronNet Partner Portal. Our support services will authenticate your identity and provide access to another third-party platform for use related to authorized IronNet customers. Non-customer information is not collected, and non-customers cannot use the Partner Portal.
3.2 Other Personal Data that We Collect Directly from You
The Personal Data that we collect directly from you includes the following:
- If you express an interest in obtaining additional information about our Services, request customer support, use our Contact Us or similar features, sign up for an event, webinar, or contest, or download certain content, we may require that you provide us with your contact information, such as your name, job title, company name, address, phone number, or email address.
- If you use or interact with our Public Websites, we automatically collect log files and other information about your device, such as Internet Protocol (IP) addresses or other identifiers, and your usage of our websites through analytic technologies (i.e., Google Analytics). This information may qualify as Personal Data (please see the What Device and Usage Data We Process section below).
- If you visit our offices, you will be required to register as a visitor and provide your name, email address, phone number, company name, and the time and date of arrival. For purposes of access control and verification, we also capture video images in and around our offices.
If you provide to us or to our service providers any Personal Data relating to other individuals, you represent that you have the authority to do so and permit us to use the Personal Data in accordance with this Privacy Statement.
If you believe that your Personal Data has been provided to us improperly, or to otherwise exercise your rights relating to your Personal Data, please contact us as outlined in the Contacting Us section of this Privacy Statement below.
3.3 Personal Data We Collect from Other Sources
As part of our sales and marketing activities, we may collect information about you from other sources, including third parties from whom we have purchased Personal Data, and combine this information with Personal Data provided by you when you indicate interest in our Services. This helps us to update, expand, and analyze our marketing records, identify new customers, and create more tailored advertising about Services that may be of interest to you. In particular, we collect Personal Data from the following sources for these purposes:
- Public Website Visitors:
- Third-party providers may be used to gather business contact information, including mailing addresses, job titles, email addresses, phone numbers, intent data (or user behavior data), IP addresses, social media profiles, LinkedIn URLs, and custom profiles for purposes of targeted advertising, delivering relevant email content, event promotion, and profiling.
- Platforms such as GitHub may be used to manage code check-ins and pull requests. If you participate in an open source or community or other development project associated with us, we may associate your code repository username with your community account so we can inform you of program changes that are important to your participation or relating to additional security requirements.
4.0 What Device and Usage Data We Process
We may use common information-gathering tools, such as log files, web beacons, and similar technologies, to automatically collect information that may contain Personal Data from your computer or mobile device as you navigate our Public Websites or interact with emails we have sent you.
4.1 Log Files
As a standard practice for most websites, we gather certain information automatically via log files when you use our Public Websites. This information may include your IP address (or proxy server), device and application identification numbers, your location, your browser type, your Internet service provider and/or mobile carrier, the pages and files you viewed, your searches, your operating system, system configuration information, and date and time stamps associated with your usage. This information is used to analyze overall trends to help us provide and improve our Public Websites and to improve their security and continued proper functioning. We also collect IP addresses from users when they log in to our Services as part of our security features.
4.2 Web Beacons and Other Tracking Technologies
4.3 Social Media Features
Our Public Websites provide links to our social media pages (LinkedIn and Twitter). We may use features such as the Facebook Like button, the Tweet button, and other sharing widgets (“Social Media Features”). You may be given the option by such Social Media Features to post information about your activities on a website to a profile page of yours that is provided by a third-party social media network in order to share with others within your network. Social Media Features are either hosted by the respective social media network or hosted directly on our Public Websites. To the extent the Social Media Features are hosted by the respective social media networks, the latter may receive information that you have visited our Public Website from your IP address. If you are logged into your social media account, it is possible that the respective social media network can link your visit of our Public Websites with your social media profile. Your interactions with Social Media Features are governed by the privacy policies of the companies providing the relevant Social Media Features.
4.4 Telephony Log Information
We may also collect telephony log information, such as phone numbers, time and date of calls, duration of calls, and types of calls. This information will be stored on our Enterprise Resource Planning (ERP) or Customer Relationship Management (CRM) solutions.
5.0 Purposes for Which We Process Personal Data and the Legal Bases on Which We Rely
We collect and process your Personal Data for the below purposes based on the following legal bases:
- Providing our Services: We process your Personal Data to perform our contracts with our customers for providing Services. We base the processing of your Personal Data on legitimate interest legal basis to provide Services to our customers;
- Providing our Public Websites and responding to your requests: We process your Personal Data to perform any contract with you for the use of our Public Websites and to fulfill our obligations to you. Where we have not entered into a contract with you, we base the processing of your Personal Data on legitimate interest legal basis to provide Services to you and to operate and administer our Public Websites and to provide you with content you access and request (e.g., to download content from our Public Websites).
- Promoting security of our Public Websites: We process your Personal Data by tracking use of our Public Websites, creating aggregated, non-personal data, verifying accounts and activity, investigating suspicious activity, and enforcing our terms and policies, to the extent this is necessary for our legitimate interest in promoting the safety and security of the systems and applications used for our Public Websites and in protecting our rights and the rights of others.
- Handling contact and user support requests: If you fill out a Contact Us web form or request user support, or if you contact us by other means, we process your Personal Data to perform our contract with you and to the extent it is necessary for our legitimate interest in fulfilling your requests and communicating with you.
- Managing event registrations and attendance: We process your Personal Data to plan and host events or webinars for which you have registered or that you attend, including sending related communications to you, to perform our contract with you.
- Managing contests or promotions: If you register for a contest or promotion, we process your Personal Data to perform our contract with you. Some contests or promotions have additional rules containing information about how we will process your Personal Data.
- Managing payments: If you have provided financial information to us, we process your Personal Data to verify that information and to collect payments to the extent that doing so is necessary to complete a transaction and perform our contract with you.
- Developing and improving our Public Websites: We process your Personal Data to analyze trends and track your usage of our Public Websites and interactions with our emails to the extent it is necessary for our interest in developing and improving our Public Websites and providing our users with more relevant and interesting content.
- Registering office visitors: We process your Personal Data for security reasons, to register visitors to our offices and to manage non-disclosure agreements that visitors may be required to sign, to the extent such processing is necessary for our legitimate interest in protecting our offices and our confidential information against unauthorized access.
- Displaying personalized advertisements and content: We process your Personal Data to conduct marketing research, advertise to you, provide personalized information about us on and off our Public Websites, and to provide other personalized content based upon your activities and interests to the extent it is necessary for our legitimate interest in advertising on our Public Websites or, where necessary, to the extent you have provided your prior consent.
- Sending marketing communications: We process your Personal Data to send you marketing information, product recommendations, and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS, or push notifications) about us, our affiliates, and our partners, including information about our Services, promotions, or events as necessary for our legitimate interest in conducting direct marketing or to the extent you have provided your prior consent.
- Complying with legal obligations: We process your Personal Data when cooperating with public and government authorities, courts, or regulators in accordance with our legal obligations under applicable laws to the extent this requires the processing or disclosure of Personal Data to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our Public Websites and Services, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or to respond to lawful requests.
Where we need to collect and process Personal Data by law, or under a contract we have entered into with you, and you fail to provide the required Personal Data when requested, we may not be able to perform our contract with you.
6.0 Who Do We Share Personal Data with?
We do not share your Personal Data with anyone other than the following without your consent:
- When providing Services for our customers, we may disclose your Personal Data to fulfill our obligations under the applicable contract. Where we have not entered into a contract with you, we base the disclosure of your Personal Data on legitimate interest legal basis to provide Services to our customers.
- With our contracted service providers, who provide services such as IT and system administration and hosting, credit card processing, research and analytics, marketing, customer support, and data enrichment, for the purposes and pursuant to the legal bases described above; such service providers comprise companies located in the countries in which we operate (relevant countries include the United States, Japan, and the United Kingdom).
- If you use our Public Websites to register for an event or webinar organized by one of our affiliates, with the affiliate to the extent this is required on the basis of the affiliate’s contract with you to process your registration and ensure your participation in the event. In such instances, our affiliate will process the relevant Personal Data as a separate controller and will provide you with further information on the processing of your Personal Data, where required.
- If you attend an event or webinar organized by us, or download or access an asset on our Public Website, with sponsors of the event. If required by applicable law, you may consent to such sharing via the registration form or by allowing your attendee badge to be scanned at a sponsor booth. In these circumstances, your information will be subject to the sponsors’ privacy statements. If you do not wish for your information to be shared, you may choose to not opt-in via event/webinar registration or elect to not have your badge scanned, or you can opt-out in accordance with the Your Rights Relating to Your Personal Data section of this Privacy Statement.
- With sponsors of contests or promotions for which you register.
- With third-party social media networks, advertising networks, and websites, which usually act as separate controllers, so that IronNet can market and advertise on third-party platforms and websites.
- In individual instances, with professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in countries in which we operate who provide consultancy, banking, legal, insurance, and accounting services, and to the extent we are legally obliged to share or have a legitimate interest in sharing your Personal Data.
- If we are involved in a merger, reorganization, dissolution, or other fundamental corporate change, or sell any of our Services or business unit, or if all or a portion of our business, assets, or stock are acquired by a third party, with such third party. In accordance with applicable laws, we will use reasonable efforts to notify you of any transfer of Personal Data to an unaffiliated third party.
- When cooperating with public and government authorities, courts, or regulators in accordance with our legal obligations under applicable laws to the extent this requires the disclosure of Personal Data to protect our rights or is necessary for our legitimate interest in protecting against misuse or abuse of our websites, protecting personal property or safety, pursuing remedies available to us and limiting our damages, complying with judicial proceedings, court orders or legal processes, or to respond to lawful requests.
Any Personal Data or other information you choose to submit in communities, web conference calls, or web conference chat rooms may be read, collected, and used by others who attend these web conference sessions, depending on your account settings.
For further information on the recipients of your Personal Data, please contact us using the information in the Contact section of our website.
7.0 International Transfer of Personal Data
Your Personal Data may be collected, transferred to, and stored by us in the United States and in other countries where we operate. You consent to the transfer of your Personal Data to, and processing of your Personal Data in, the United States.
7.1 Privacy Shield
This Section 7.1 applies only to IronNet Cybersecurity, Inc.
Your Personal Data may be processed outside the European Economic Area (EEA), and in countries which are not subject to an adequacy decision by the European Commission and which may not provide for the same level of data protection as the EEA. In this event, we will ensure that the recipient of your Personal Data offers an adequate level of protection, in accordance with EU Privacy Shield (explained further in this section) for the transfer of data as approved by the European Commission (Art. 46 General Data Protection Regulation [GDPR]), or we will ask you for your prior consent to such international data transfers.
IronNet is responsible for the processing of data it receives from the EU and Switzerland under the Privacy Shield Framework. IronNet complies with the Privacy Shield Principles for all onward transfers of data from the EU and Switzerland, including the onward transfer liability provisions.
Pursuant to the Privacy Shield Framework, individuals have the right to access their personal data to inspect, correct, or update their information. EU and Swiss individuals who wish to exercise that right may do so through the Contact Us form on our website.
With respect to data received or transferred from the EU and Switzerland pursuant to the Privacy Shield Framework, IronNet is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, IronNet may be required to disclose data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, IronNet commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to Privacy Shield. European Union or Swiss individuals with Privacy Shield inquiries or complaints should first contact us at:
IronNet Cybersecurity, Inc.
Attn: Privacy Statement
7900 Tysons One Place
McLean, Virginia 22102
Tel: (443) 300-6761
IronNet has further committed to refer unresolved privacy complaints under the EU-US Privacy Shield Principles and Swiss-US Privacy Shield Principles to BBB EU Privacy Shield, a non-profit alternative dispute resolution provider located in the United States and operated by the Council of Better Business Bureaus. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit this website for more information and to file a complaint.
If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1.
Our Public Websites are not directed at children. We do not knowingly collect Personal Data from children under the age of 16. If you are a parent or guardian and believe your child has provided us with Personal Data without your consent, please contact us by using the information in the Contacting Us section of this Privacy Statement below, and we will take steps to delete such Personal Data from our systems.
9.0 How Long Do We Keep Your Personal Data?
We may retain your Personal Data for a period of time consistent with the original purpose of collection (see the Purposes for Which We Process Personal Data and the Legal Bases on Which We Rely section above). We determine the appropriate retention period for Personal Data on the basis of the amount, nature, and sensitivity of your Personal Data processed, the potential risk of harm from unauthorized use or disclosure of your Personal Data, and whether we can achieve the purposes of the processing through other means, as well as on the basis of applicable legal requirements (such as applicable statutes of limitation) and necessity of use.
After expiry of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will put in place appropriate measures to prevent any further use of such data.
For further information on applicable data retention periods, please contact us using the information in the Contacting Us section of this Privacy Statement below.
10.0 Your Rights Relating to Your Personal Data
10.1 Your Rights
You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws and, in particular, if you are located in the EEA, these rights may include:
- To access your Personal Data held by us (right to access)
- To rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete (right to rectification)
- To erase/delete your Personal Data, to the extent permitted by applicable data protection laws (right to erasure; right to be forgotten)
- To restrict our processing of your Personal Data, to the extent permitted by law (right to restriction of processing)
- To transfer your Personal Data to another controller, to the extent possible (right to data portability)
- To object to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection.
- Not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects (“Automated Decision-Making”). Automated Decision-Making currently does not take place on our websites. Please note that our IronNet Digital Verify Service includes a good faith evaluation of the characteristics of certain social media followers and is not intended for use alone for any decisions, should be considered by humans along with other factors, and are not an endorsement or rejection of any social media account.
- To the extent we base the collection, processing, and sharing of your Personal Data on your consent, to withdraw your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
If you are a resident of California under the age of 18 and have submitted a web request form with us, you may ask us to remove content or information that you have posted to our Public Websites. We will ensure our sub-processors also remove your information from their information systems. If you provide comments on either our LinkedIn or Twitter accounts, we will remove your information, but this does not ensure complete or comprehensive removal of the content or information because, for example, some of your content may have been reposted by another visitor to our social media public account/page.
10.2 How to Exercise Your Rights
To exercise your rights, please contact us using the information in the Contacting Us section of this Privacy Statement. We try to respond to all legitimate requests within one month and will contact you if we need additional information from you in order to honor your request. Occasionally it may take us longer than one month, taking into account the complexity and number of requests we receive. If you are an employee of an IronNet customer, we recommend you contact your company’s system administrator for assistance in correcting or updating your information.
If you are located in the EEA, you may also have the right to lodge a complaint with the relevant Supervisory Authority. A list of Supervisory Authorities is available here.
To update your billing information or delete your Personal Data and other information associated with your account, please contact us using the information in the Contacting Us section of this Privacy Statement.
10.3 Your Rights Relating to Customer Data
As described above, we may also process Personal Data in the role of a processor. If your data has been submitted to us by or obtained by us on behalf of an IronNet customer and you wish to exercise any rights you may have under applicable data protection laws, please inquire with the applicable customer directly (controller). Because we may only access a customer’s data upon instruction from that customer, if you wish to make your request directly to us, please provide us with the name of the IronNet customer who submitted your data to us. We will refer your request to that customer and will support them as needed in responding to your request within a reasonable timeframe.
10.4 Your Preferences for Email and SMS Marketing Communications
If we process your Personal Data for the purpose of sending you marketing communications, you may manage your receipt of marketing and non-transactional communications from us by clicking on the unsubscribe link or following other unsubscribe instructions located at the bottom of our marketing emails, by replying or texting “STOP” if you receive SMS communications, or by turning off push notifications on our apps on your device. Additionally, you may unsubscribe by contacting us using the information in the Contacting Us section of this Privacy Statement. Please note that opting out of marketing communications does not opt you out of receiving important business communications related to your current relationship with us, such as communications about your subscriptions or event registrations, service announcements, or security information.
Alternatively, you can always inform us during a telemarketing call that you do not want to be called again for marketing purposes.
11.0 How We Secure Your Personal Data
We take precautions including organizational, technical, and physical measures to help safeguard against the accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, or access to, the Personal Data we process or use.
While we follow generally accepted standards to protect Personal Data, no method of storage or transmission is 100% secure. You are solely responsible for protecting your password, limiting access to your devices, and signing out of Services after your sessions where applicable. Breach Notification procedures fall within our Incident Response process and also comply with EU GDPR and other regulatory time reporting/notification requirements. If you have any questions about the security of our Public Websites or our Services, please contact us by using the information in the Contacting Us section of this Privacy Statement or view our Certifications page.
12.0 Contacting Us
To exercise your rights regarding your Personal Data, or if you have questions regarding this Privacy Statement or our privacy practices, please send correspondence by mail to the following address/email address and we will send you the necessary forms:
7900 Tysons One Place
McLean, Virginia 22102
IronNet will communicate responses to subject access requests (SARs) through secure/encrypted means where possible. As a data controller, IronNet may provide remote access to a secure system that would provide the data subject with direct access to his or her personal data. IronNet may communicate with the data subject to clarify and potentially narrow the scope of the SAR, particularly when IronNet processes a large quantity of information concerning the data subject.
We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.
13.0 General Data Protection Regulation — European Representative
Pursuant to Article 27 of the GDPR, IronNet Cybersecurity, Inc. has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by:
- Sending an email to firstname.lastname@example.org
- Using EDPO’s online request form
- Writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
IronNet Cybersecurity, Inc. is committed to cooperating with EU data protection authorities (DPAs) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) and complying with the advice given by such authorities with regard to human resources data transferred from the EU and Switzerland in the context of the employment relationship.
14.0 Changes to this Privacy Statement
We may modify this Privacy Statement from time to time to the extent required to comply with laws or regulations applicable to IronNet, including any changes thereto. IronNet may also make changes to this Privacy Statement as it deems necessary to reflect changes in our practices, technologies, and other factors. Any amended or modified Privacy Statement will be posted on the Public Websites. If we do make changes, we will update the effective date at the top of this Privacy Statement.