Last Updated: November 3rd, 2009

This document represents the published privacy policy of Network Standard Corporation, doing business as NetDiligence®. We reserve the right to change the terms of this policy at any time without prior notice, so please check back to this location frequently for published updates. Your use of any NetDiligence® website or service constitutes your consent to be governed by the terms of this policy.

We value your personal and professional privacy in your dealings with NetDiligence®, and recognize that your willingness to do business with us in your capacity as an organizational representative grants us only a limited license to use your company credentials and/or private information for our mutual benefit. This privacy policy attempts to explain in layman’s terms how we approach the gathering, storage, security and use of personal information that you provide to us.

What Personal Information Do We Collect and What Do We Do With It?

As of the current date of this Privacy Policy, NetDiligence does not conduct direct e-commerce transactions that involve the collection or use of PCI cardholder data. Second, NetDiligence does not collect sensitive personally identifiable information such as Social Security numbers (SSNs), drivers license numbers, or financial/credit history data (except in the case of prospective hires as part of a comprehensive pre-employment background check). Third, NetDiligence does not collect any form of PHI/ePHI data that falls under the HIPAA regulatory regimen.

With regard to our limited collection of personal information within the context of professional or organizational activities, we think it is most useful to answer this question by looking at the functional components of our business and describing our practices in each case:

1. Our www.NetDiligence.com Website: Currently, we do not gather contact information through our information-only website beyond the routine Internet traffic statistics provided to us by our Web hosting company. This means we have access to source IP address and referral URL information that you leave with us during your visits. Where necessary for the function of the Website, we use session cookies. Because we do not provide retail e-commerce services from this site, this data provides little to us in terms of useful information beyond what we need to keep the website operating and (if necessary) track down bad actors who wish to do us harm.
   
   
2. Our Online Survey Services, such as QuietAudit and NetDiligence® Online: Because your organization has either contemplated, or entered into, a contractual relationship with NetDiligence® (or with one of our partners who have called upon us in a “perform” role), we may gather your professional credentials (name, organizational title, telephone/e-mail contact information, and related data) in order to provide your organization with authorized cyber security assessment surveys. Because we may be called upon by your organization or other parties due to our contractual relationship to provide required assessment regarding your organization’s activities and cybersecurity practices, we may retain your professional credentials for a period of at least two years following our most recent interaction with your organization. When you supply us with information as part of your completion of these assessment surveys, we retain your responses for at least two years. Our fulfillment of certain regulatory requirements (e.g., GLBA 501b, HIPAA) for our clients may optionally require a retention period that is substantially longer than our stated two-year minimum.
   
   We use the information gathered to prepare contractually required assessment deliverables that are shared with your organization and/or identified third parties in strict adherence with the terms specified in the contractual agreements (statement of work contracts) that define our roles and responsibilities with respect to your organization. We retain the unilateral right to conduct and publish research based on statistical analysis of any/all survey responses without identifying the personal or professional credentials of individual survey participants. If we are asked to provide personal or professional credentials outside of the terms of our contractual relationship, we will only do so upon receipt of your organization’s explicit written approval.
   
   We conduct focused marketing of other products/services that we provide, either directly or through our third-party partners under joint marketing agreements. In most cases, these marketing efforts are aimed at providing your organization with service that complements our cybersecurity assessment service such as a remediation or BCP service. You may elect to opt-out of such marketing activities (telephone, mail, email, etc.) by contacting us directly with your stated preferences. Send opt-out requests via email to Dave.Chatfield@NetDiligence.com.We acknowledge/track all such requests and will respect your stated wishes.
   
   
3. Our eRisk Hub® Portal Service: Your organization has either contracted directly with us for, or has obtained through a business relationship with a third party with whom NetDiligence has an ongoing relationship (e.g., an insurance carrier or broker), access to one of our eRisk Hub portal services. Within the context of managing eRisk Hub subscriptions, NetDiligence’s collection and retention of personally identifiable information will typically include name, organization, title, address, and telephone/email contact information. In some cases, clients may use the eRisk Hub service to seek out the professional services of one or more third-party eRisk Hub Participant vendors. Based on your specific requests generated while on the eRisk Hub site, we may contact the vendor(s) in question in order to ensure that your specific request has been received and acted upon by the vendor’s management and/or customer support team.
   
   Our eRisk Hub service includes an email notification service for registered users. Users wishing to be excluded from the email subscription list associated with the eRisk Hub service can opt-out of receiving it by contacting registrar@eriskhub.com. We acknowledge/track all such requests and will respect your stated wishes.
   
   
4. Our Cyber Risk News Email Service: Our Cyber Risk News service includes delivery of periodic email newsletters that contain summaries of current events within the industry. For this service, we retain only the subscriber’s name, organization, title, address, and email/phone contact information. This free service is an opt-IN offering, and all subscription/removal requests should be addressed to Mark.Greisiger@NetDiligence.com. 
   
   
5. Our Assessment Services and/or Third Party Partner Services: Our performance of assessments or any other services we provide are carried out in compliance with the terms stated in #2 above, but with a few additional caveats: (a) When services are performed by or in conjunction with our third party partners, the handling of your personal/professional credentials and/or provided responses may be subject to the privacy policies and data retention schedules of both NetDiligence® and those of any participating partners, (b) We will inform participating partners of your organization’s opt-out preferences, if any, and will require their conformance with your wishes in this area as a condition of our partnership arrangement.

What Security Protections Do We Apply in Keeping Your Personal Information Safe?

We make use of appropriate protections, such as firewalls, encryption of data in transit during survey sessions and encrypted password-protection of report deliverables containing sensitive information such as your professional credentials and/or your organization’s existing practices. We adhere to industry-acknowledged best practices in protecting our production servers, and take reasonable and cost-efficient precautions to ensure that your personal/professional credentials and survey responses that highlight organizational practices are protected from accidental or malicious disclosure to unauthorized parties.

Do You Have Any Questions Regarding Our Privacy Policy or Practices?

We welcome your questions or comments regarding our privacy policy or existing practices. If we make a mistake that violates the terms or spirit of this policy, we want to know about it as soon as it comes to your attention so that we can fully address the situation in a timely manner. Please contact Dave Chatfield at (954) 684-9190 or via e-mail at Dave.Chatfield@NetDiligence.com.