Last Updated: July 13, 2020
Who We Are
Northern Lights Group, Inc., d/b/a ThirdPartyTrust a Delaware C Corporation (“ThirdPartyTrust”) creates software products and platforms that enable businesses to manage their own risk as it relates to third party data governance and compliance.
What information do we collect?
- User provided: Contact information (name, email, phone number, job title, company name, payment information, and other information provided by the user) to request a demo or trial or to sign up for a user account or subscription, and to access our platform and use our services.
- Automatically collected: IP Address, user agent, and the referring URL. When you visit our website we automatically receive your IP address and information such as the user-agent of your web browser. This information is provided to us and every other website that you visit on the Internet by your web browser.
What information do we know about you?
We don’t request or require you to provide personal information to access our website. As noted above, we may receive your IP address and user agent automatically. If you optionally elect to use our chat feature or fill out our early access request form, we will receive your Name, Email, Phone number, and Company name as well as your stated interest in our products. If you sign up for a user account or subscription, we will collect your contact information (name, email, phone number, job title, company name, payment information (in the event users purchase a report), and other information provided by the user).
What about cookies?
How do we use the information we collect?
- We use aggregate information to understand how many total users have visited our web site and the types of devices on which they are using it.
- We use information you choose to provide in our web forms to sell software and/or services
- We use information you provide to us when signing up for and using our services to provide services and to correspond with you about those services.
Do we sell any of the information collected by the ThirdPartyTrust website?
No. We don’t sell or rent the information to any third parties.
Do we share any customer data?
We may share data with our vendors and service providers to perform tasks on our behalf.
What’s the difference between personal information and aggregate information?
Personal information is information that can be used to identify a particular individual, generally understood to be information such as your name, physical address, email address and phone number. Aggregate information is not considered personal information and cannot be used to identify you.
Do we collect email addresses?
We do not require you to submit your email address, or any other personal information, to us in order to use the ThirdPartyTrust website. If you use the information provided on the ThirdPartyTrust.com website to contact us directly, we will receive your contact information, but will only use it in order to respond to your inquiry. If you fill out a web form on our web site we receive your email and may store that email and associated contact information for up to 12 months.
Table of Contents:
- What Information We Collect and How We Collect It
- How We Use the Information
- We Collect Cookies
- With Whom We Share Information
- Security Encryption
- Physical Security Access
- Control Employees
- Vulnerability Management
- Incident Management
- Data Retention
- Children’s Privacy
- “Do Not Track”
- Your Rights
- California Privacy Rights under the CCPA
- EU-US & Swiss-US Privacy Shield
- How to Contact Us
What Information We Collect and How We Collect It
In order to provide our services to you and to ensure that our software and platform operate correctly, we collect various types of information, including information that identifies you or may identify you as an individual (“personal information”). When you use our website, sign up for our services, and use our software or platform, we collect the following information:
Information you provide to us:
- If you use the contact information provided on the ThirdPartyTrust.com website to contact us directly, you agree to allow ThirdPartyTrust to store and process your contact information. We will receive your contact information which could include, depending on how you contact us, your email address, name, company name, job title, the reason for contacting, and postal address.
- We receive and store the information you provide directly to us when you sign up for and use our services and platform. The types of information we may collect directly from our customers and users include name, email address, mailing address, phone number, job title, payment and billing information (excluding credit card information), and any other information provided by the user (including a user-submitted photograph if a user chooses to provide one).
When you use our website or platform, we automatically collect the following information:
- Internet Protocol Address (“IP address”). IP addresses are assigned by your Internet service provider (e.g., Comcast/Xfinity, AT&T, Time Warner, Verizon, Charter, etc.) to the modem used to access the Internet for connected devices in your home and/or work-place. Any devices using the modem to access the Internet may broadcast the same IP address. At home, connected devices could include one or more laptop/desktop computers, tablets, mobile phones, smart/connected TVs and gaming consoles. At work, connected devices could include one (or all) floor(s) in an office building. Our website receives your IP address from your Internet browser each time you request a file or web page.
- User-Agent. Due to the nature of how the Internet works, we may receive information (known as “User-Agent”) automatically sent by your web browser, such as data associated with the source device’s Internet browser/content delivery software (e.g., Microsoft Explorer, Mozilla Firefox or Google Chrome). The User-Agent information we receive may also include information such as device type (e.g., computer, tablet, mobile device), and/or date/time of visit. Similar to the collection of IP addresses, our website also receives User-Agent information associated with your browser and type of device.
How We Use the Information We Collect
- Services. We may use the information we collect in connection with the services we provide. We may use the information we collect to set up user accounts; provide, operate, and maintain services; process and complete transactions; provide customer service and support and respond to inquiries; to send communications; to prevent fraudulent activity; for any other purpose based on our legitimate interest.
- Website. We may use the information we collect to administer and improve the ThirdPartyTrust website and platform.
- Promotional Communications. We may use your personal information to contact you with newsletters, marketing, or promotional materials and other information that may be of interest to you. You may opt-out of receiving any, or all, of these communications from us by following the instructions provided in any email we send or by following the unsubscribe link in those emails.
- Analytics. We may use aggregated information that’s collected to understand general information and trends related to our website, such as how many users have visited our web site during a given period of time, and the types of devices the visitors use. The information can’t be used to identify an individual and is used by us to help improve the solution for consumers.
- IP addresses – Fraud Prevention. Our use of IP addresses is limited to helping identify and combat potentially fraudulent activity. IP addresses are stored in our log-files and are deleted after 30 days.
- Respond to Inquiries. If you choose to contact us directly (by email, form, or postal mail) using the contact information we provide on the ThirdPartyTrust website, we will use your contact information to respond to your inquiry.
With Whom We Share Information
We will not rent, sell or share information about you with other people or non-affiliated companies. We may share and disclose information (including personal information) in the following instances:
- Vendors and Service Providers. We may share your information with vendors and service providers whom we engage to perform tasks on our behalf. More details about these vendors and service providers can be found in our GDPR statement.
- If ThirdPartyTrust is acquired or merged with another company, we will transfer collected information to the acquiring company.
- Under certain circumstances, we may be required to disclose personal information if necessary to comply with a subpoena or court order, to establish or exercise our legal rights or defend against legal claims, or to cooperate with government and/or law enforcement officials.
We may share aggregated information (i.e., information that cannot be used to identify an individual) for a variety of reasons, including under the following circumstances:
- To make our product better and foster transparency.
- If ThirdPartyTrust is acquired or merged with another company we will transfer aggregate information to the acquiring company.
- We may share aggregate information if necessary to comply with a subpoena or court order, to establish or exercise our legal rights or defend against legal claims, or to cooperate with government and/or law enforcement officials.
- For any lawful basis.
We take security very seriously. Ensuring that the information collected by our website and platform is secure and protected is very important to us. Consistent with industry standards and applicable law, ThirdPartyTrust has established appropriate technical and organizational measures to help prevent unauthorized access to, disclosure, alteration or misuse of information collected by the ThirdPartyTrust website and platform (“Collected Data”).
We use Amazon Web Services to store all Collected Data. Amazon employs a robust physical and network architecture security program with multiple certifications. For more information on Amazon’s security processes, please visit https://aws.amazon.com/security/.
All data transmitted between visitors to the ThirdPartyTrust website and users of the ThirdPartyTrust platform is encrypted in transit.
All data received and stored by ThirdPartyTrust servers is encrypted at rest.
ThirdPartyTrust’s technical infrastructure is hosted on Amazon Web Services SOC 2 accredited data centers. Physical security controls at AWS data centers include 24×7 monitoring, cameras, visitor logs, and entry requirements.
All services related to operations and infrastructure are accessible only through secure connectivity (e.g., SSL, SSH). All systems require multi-factor authentication. Our back-office, service, and infrastructure password policies require minimum lengths, complexity, expiration, lockout, and disallows reuse. ThirdPartyTrust grants access to staff and contractors on the basis of least privilege rules, reviews permissions monthly, and revokes access immediately after employee termination.
All employees of ThirdPartyTrust undergo national background checks, are required to sign non-disclosure agreements, and complete security training.
All systems and applications undergo security review for vulnerabilities prior to production deployment. All application dependencies are monitored for vulnerabilities using third party dependency scanning tools.
ThirdPartyTrust maintains industry standard security incident response policies and procedures.
If you provide information to us to request a demo, we will keep that information for up to twelve months after your last communication with us.
We will keep personal information provided by customers for up to three months after the end of our business relationship and subject to our Terms and Conditions.
If you contact us directly using the contact information provided on the ThirdPartyTrust website, we will retain your contact information for a period of up to three months after we respond to your inquiry. After that, the communications will be deleted from our system, unless we are required by law to retain it longer.
The ThirdPartyTrust website and platform were not developed or intended for individuals that are deemed to be children under applicable data protection or privacy laws, nor do we knowingly collect information from children.
“Do Not Track”
Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. DNT is a way for users to inform websites and services that they do not want certain information about their webpage visits collected over time and across websites or online services. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
- You can opt-out of receiving certain marketing or promotional communications from ThirdPartyTrust at any time by using the unsubscribe link in the email communications we send.
- If you would like to request access, review, update, rectify, or delete any personal information we have about you, you can contact us using the contact information we provide on the ThirdPartyTrust website. Our privacy team will respond as soon as possible. Rights available under the GDPR are described in our GDPR statement.
- California residents have the right to ask us for a notice identifying the categories of personal information we share with third parties for marketing purposes. California residents can exercise this right by contacting us using the contact information we provide on the ThirdPartyTrust website.
California Privacy Rights under the CCPA
The California Consumer Privacy Act of 2018 (“CCPA”) took effect January 1, 2020 and provides California consumers with certain rights regarding their personal information.
The section “What Information We Collect and How We Collect It” explains the specific details of personal information ThirdPartyTrust collects. The CCPA also requires listing categories of personal information collected. As defined by the CCPA, we collect, or have collected in the past 12 months, the following categories of personal information:
- Identifiers (such as name, email address, postal address, phone number, IP address)
- Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)) (such as name, contact information, employment)
- Commercial information (such as transaction information, purchase history, payment information)
- Internet or other electronic network activity information (such as browsing history, search history, online behavior)
- Professional or employment-related information (such as job title and your business contact information)
- Inference data about you (such as additional features we think would be of interest to you)
Personal information, as defined by the CCPA, does not include publicly available information from government records and de-identified or aggregated consumer information.
We use and disclose the categories of personal information we collect from and about you consistent with the business purposes discussed in the section “How We Use the Information We Collect”.
The CCPA also sets forth obligations for businesses that “sell” personal information to third parties. We do not “sell” personal information and have not sold any personal information in the past 12 months.
If you are a California resident, you may have the following consumer rights under the CCPA:
- Right to request deletion of personal information. You have the right to request the deletion of your personal information we have collected from you, subject to certain conditions and limitations under the law.
- Right to Opt-Out of the sale of personal information. The CCPA provides consumers with the right to opt-out of the sale of their personal information. We do not share, sell, rent, or trade User Personal Information with third parties for their commercial purposes as defined under the CCPA.
- Right to non-discrimination for exercising a consumer privacy right. We will not discriminate against you for exercising any of your rights under the CCPA.
To exercise any of your rights as set out above on or after January 1, 2020, please contact us by submitting a request at https://www.thirdpartytrust.com/dsar/ or by contacting us at ThirdPartyTrust, 420 N Wabash Ave #503, Chicago IL 60611. You will be required to verify your identity before we are able to fulfill your request. You can designate an authorized agent to make a request on your behalf. To do so, you will need to provide a written authorization or power of attorney signed by you for the agent to act on your behalf. You will still need to verify your identity with us. Note that consumers may only make a personal information request twice in a 12-month period under the CCPA. We will work to respond to your verifiable request within 45 days of receipt. Certain information may be exempt from requests under applicable law.
EU-US & Swiss-US Privacy Shield
In compliance with the Privacy Shield Principles, ThirdPartyTrust commits to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact ThirdPartyTrust at:
ThirdPartyTrust, Inc., a Public Benefit Corporation
420 N. Wabash Ave
Chicago, IL 60611
ThirdPartyTrust has further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-claim claim for more information or to file a complaint. The services of JAMS are provided at no cost to you.
If your concern still isn’t addressed by JAMS, you may be entitled to a binding arbitration under the Privacy Shield Principles. For purposes of enforcing compliance with the Privacy Shield, ThirdPartyTrust is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.
How to Contact Us
420 N Wabash Ave
Chicago, IL 60611