This document ("Privacy Policy") explains the privacy rules applicable to any information relating to an identified or identifiable natural person ("personal data" or "personal information") collected or submitted when you access, install, or use NordStellar Services (collectively, the "Service" or "Services") and this website ("Website") regardless of the device (computer, mobile phone, tablet, etc.) you use or access.

This Privacy Policy describes how personal data is processed by Nord Security Inc. located at Americas Towers, 1177 6th Avenue, 5th FLR, New York, NY 10036, United States of America ("Nord", "we", "us", or "our"). We act as a data controller when collecting data directly (e.g., when you access our Website, contact our customer support) and as a data processor when processing End Users’ data provided by our Customers according to their instructions.

By visiting our Website, by submitting your personal data to us, and by accessing, installing and/or using our Services, you confirm that you have read this Privacy Policy and agree to be bound by this Privacy Policy. If you do not agree with this Privacy Policy or any provisions hereof, please do not use our Services and Website.

1. PROCESSING OF PERSONAL DATA – NORD’S ROLE AS DATA PROCESSOR

   By providing the Services to its Customers, Nord acts as a data processor in relation to the personal data, which is provided and shared with Nord by organizations (businesses) on the basis of the Master Service Agreement ("Agreement"), which is in place between Nord and its business customers.

   If your organization, like your employer or another entity that has an Agreement with us, grants you access to our Services (whether by creating an account or connecting through other methods) Nord receives certain information about you, including some personal data, from the Customers. This happens as part of providing access to and operating the Services based on the Agreement mentioned above. In this case, you are identified as an end user ("End User"), and your use of our Services is first of all and primary subject to your organization's policies and rules, if any. Please note that in such a case, your organization (our Customer) is the data controller in respect of all such personal data of yours.

   Nord receives this information as a data processor from the Customer and processes this personal data solely on behalf of and in line with the Customer's instruction as well for the purposes of proper Service provision, operation and maintenance, e.g., to send you important updates and announcements related to the use of our Services.

   The following information about the End User is processed by us when we provide Services to the Customers:

   • Account information. On behalf of our Customers, we process End Users’ names, email, professional information (position, represented entity’s information) account registration, login information, subscription information, device information (e.g., device name, IP address, OS).
   • Authentication information. When you create an account on our platform or log in to our Services, we collect and process certain login credentials, which are required to verify your identity and provide you with access to our Services. This may include your email address, username, password, and any additional information you choose to provide during the registration process. We use this information solely for user authentication.
   • Single Sign-On. If you use Single Sign-On (SSO) functionality, allowing you to log in to our platform using existing credentials from third-party authentication services such as Google, Apple or Microsoft, we may collect and process certain personal information from the third-party service provider to facilitate your login process and provide you with access to our platform or Services. This may include your name, email address, profile picture, and other basic information provided by the authentication service. We use this information solely for the purpose of authentication, and we do not share your SSO credentials or personal data with any third parties.

   Please note that when your organization uses our Services, it makes its own decisions about which data points are relevant, important and require additional protection. In this case, the organization decides the exact scope, size and list of the data elements, including your personal data, which shall be subject to monitoring and related Services, operated and provided on the basis of the above-mentioned Agreement.

   Note to the End-Users: the organization that provides us with your data is responsible for disclosing you detailed privacy related information as well as for lawful processing of your data in line with applicable legal requirements.

   Nord processes the End User’s personal data to provide the Services to the Customer and, in some cases, for Nord’s business operations related to providing the Services as described in this Privacy Policy. Nord acts only as a data processor and processes your data according to the instructions issued by your organization. Nord is not and cannot be responsible for the privacy or security practices of its Customers, which may differ from those set forth in this Privacy Policy.

   If you are an End User and have questions about processing of your personal data by Nord in connection with providing Services to your organization, please contact your organization (the Customer). If you have questions about other business operations mentioned in this Privacy Policy when Nord acts as a data controller, please contact us as provided below (see Section "Contact Us").
2. PROCESSING OF PERSONAL DATA – NORD’S ROLE AS DATA CONTROLLER

   In this section of our Privacy Policy, we outline Nord's role as a data controller in various processing activities related to conclusion and performance of agreements with our Customers, payments, marketing activities, and communications.

   We collect (directly from you, third parties or your interactions, use, and experiences with our Services/Website) and use the information for the following purposes:

   Information related to the conclusion and performance of the Agreement

   • Personal information. In order to conclude and perform a business agreement with the Customer, we may process Customer's representatives' contact information (full name, telephone number, and/or email address) and professional information (position, represented entity's information).

   Payment related information

   • Payment data. If you have provided payment information to us, such as basic billing information belonging to a natural person (date of purchase, IP address, postal (ZIP) code, billing address), we will process this information (i) to verify payment's information and prevent fraudulent payments for the Services; (ii) to collect payments to the extent that doing so is necessary to complete a transaction.
   • Country details. When making a purchase as a natural individual, we process the information on the country the purchase takes place. This information is necessary for VAT calculation purposes.

   Online activities

   • Access logs. To ensure Website support and security we collect access logs, such as your IP address, operating system, and browser information. This information is essential for fighting DDoS attacks, scanning, and similar hacking attempts. We also use this information to help us design our site better, help diagnose problems with our server, and administer our Website.
   • Information received from analytics service providers. To analyze and improve our Website and users' experience, we use analytics service providers (e.g., Google Analytics) to help us collect aggregated information that does not directly identify you, but provides us with various statistics, such as, which pages visitors visit the most and for how long they stay there. We may also see the following: your device's IP address, device type, browser information, geographic location (country only), preferred language, the title of the page being viewed, screen size and resolution, out links, referrers, page and website speed. For the collection of such information, our service providers mostly use cookies.
   • Cookies. Cookies, pixels, and other similar technologies are usually small text or image files that are placed on your device when you visit our Website. Some cookies are essential for our Website to operate smoothly; others are used to improve the Website's functionality, analyze aggregated usage statistics to improve the Website's performance, and for advertising purposes. Our Website may include social media features, such as the Facebook like and/or share buttons, to help you share our content more easily. These features may collect information about your IP address and which page you are visiting on our Website, and they may set a cookie to make sure the feature functions properly. We also use affiliate cookies to identify the Customers referred to our Website by our partners so that we can grant the referrers their commission. You can check our Cookie Policy for more information.

   Communication data

   • Communication optimization data. We use various tools to help us optimize our email campaigns. These tools may track actions you perform with an email, such as open rates, click-through rates or unsubscribes from further communication. We may also be able to see the user device’s operating system (e.g., Windows, Mac, iOS, Android).
   • Social media. When you interact with us via social media, we may process information available on your social media profile, also your inquiry or post information, and other information you provide us with.
   • Other communication means. When you contact us to inquire about our Services, we process your full name, email address, entity’s information you contact on behalf of (if provided), and/or other information you provide us with.

   Marketing

   • Information related to marketing activities. We may receive certain data about you (i) directly from you, if you subscribe to marketing communications, complete surveys, or sign up for our events or webinars, publicly available material prepared by Nord or (ii) from certain advertisers and other partners which we use for advertising purposes. Those partners help us deliver more relevant ads and promotional messages to you, which may include interest-based advertising (also known as online behavioral advertising) and account-based advertising. We may also receive your personal data from the organizers of events that you and Nord participate in, or promotions that we sponsor or participate in. Such data may include your contact and professional data (e.g., name, company, position, email address, preferences, and/or interests), cookie id, mobile device id, and inferences about your interests and preferences. We use this information in order to send you offers, surveys, and other marketing content (in line with applicable law) and to manage your participation in our events or seminars. You can easily opt-out of future marketing communications using the opt-out link provided in the emails sent to you.
3. GROUNDS FOR PROCESSING OF PERSONAL DATA

   Nord processes personal data to a limited scope and based on the following legal grounds:

   • To fulfill contractual obligations. The information provided might be required for the performance of a contract, i.e., (i) to provide Services and customer support; (ii) to process purchase transactions; (iii) to ensure the secure, reliable, and robust performance of our Services and Website.
   • To ensure legal obligation. We might be required to use your information as per legal requirements, e.g., to keep and process records for tax purposes and accounting.
   • Your consent. We might use your information where you have given your consent to us, i.e., (i) to send marketing communication (unless applicable law permits us to contact you without prior consent); (ii) to communicate with you and manage your participation in our contests, offers, referrals, or promotions. Please note that although we may also process your personal data for marketing purposes when applicable law permits us to contact you without your separate consent, if you choose not to receive marketing communication from us (i.e., if you opt out), we will honor your request.
   • Legitimate interest. We sometimes may process your personal data under the legitimate interest, i.e., (i) to properly administer business communication with you; (ii) to detect, prevent, or otherwise address fraud, abuse, security, or technical issues with our Services and Website; (iii) to protect against harm to the rights, property, and safety of Nord, our Customers, End Users, or third parties; (iv) to improve or maintain our Services and provide new products and features; (v) to receive knowledge of how our Website and application are being used.
4. SHARING YOUR PERSONAL DATA

   We do not sell, trade, or otherwise transfer to outside parties your personal data. This does not include trusted third parties who assist us in operating our Services, conducting our business, or servicing you, so long as those parties agree to keep this information confidential and to not use it for any purpose other than to fulfill their obligations to us.

   We may share your information with subcontractors and other partners located in countries abroad. All our subcontractors and other third parties will be subject to contractual obligations limiting their use of personal data and subjecting their activities to the applicable privacy laws. All our subcontractors will be subject to non-disclosure and non-use obligations.

   Only where permitted by applicable laws and for the purposes listed in this Privacy Policy we share, to the extent necessary, the information with:

   • Service providers. We use third-party service providers to help us with various operations, such as IT, servers, marketing, customer support, data storage, website customization, website analytics, accounting, legal, agency, and others. As a result, some of these service providers may process your personal data.
   • Partners. Sometimes our partners, for example, distributors, resellers, managed service providers, and app store partners might also process your personal data. In such cases, the procedures established by them (e.g., terms of service and privacy policies) will apply to such relationships.
   • Other Nord group companies. We share your personal data with other Nord group companies to carry out our daily business operations and to enable us to maintain and provide our Services to you. In accordance with applicable law, we may also share your contact information with Nord group companies for the marketing of their products’ purposes (you have a right to object to such transfer at any time).
   • Protection of our rights. We may disclose your data to establish or exercise our legal rights or defend against any legal claims or other complaints. We may also share such information if we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, and violations of Agreements.
   • Business transfers. We may share your personal data in those cases where we sell or negotiate to sell our business or go through a corporate merger, acquisition, consolidation, asset sale, reorganization, or similar event. In these situations, Nord will continue to ensure the confidentiality of your personal data.
   • Requests from law enforcement institutions. Any request for data should follow an appropriate official legal process recognized by the laws of incorporation (e.g., mutual legal assistance treaty, letters rogatory). We carefully review each request to make sure it satisfies laws applicable to our company, laws of requesting country, international norms, and our internal policies.

   If any collection and processing of personal data will be carried out, in the course of Nord’s business and provision of services, by external data processors, we will require, within the framework of its contracts with such external processors, for them to comply with relevant legal data protection rules and legislation applicable to the services they provide to Nord, before the transferring your personal information and data.

   Cross-border transfers of personal data. To support our Services and Website, we may transfer personal data worldwide (and outside EEA), including to countries where Nord operates. We carefully evaluate cross-border transfers and implement safeguards to ensure your personal data remains protected, such as ensuring compliance with the European Commission's adequacy decisions or using approved standard contractual clauses for transfers outside the EEA.
5. CHOICES RELATED TO YOUR PERSONAL DATA

   Please note that various data protection laws across different jurisdictions provide privacy rights to you as a data subject. Subject to applicable data protection laws, among others, you may have the following rights:

   • Delete: request us to erase your personal data;
   • Access: know and access personal data Nord has collected about you;
   • Rectify: rectify, correct, update, or complement inaccurate/incomplete personal data Nord has about you;
   • Object: object to the processing of your personal data which is done on the basis of our legitimate interests (e.g., for marketing purposes);
   • Portability: request us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format or to transmit (if technically feasible) your personal data to another controller (only where our processing is based on your consent, and carried out by automated means);
   • Restrict: restrict the processing of your personal data (when there is a legal basis for that);
   • Withdraw consent: withdraw your consent where processing is based on the consent you have previously provided;
   • Lodge a complaint: exercise your rights by contacting us directly or, if all else fails, by lodging a complaint with a supervisory authority.

   Rectification. If you’d like to edit your information (e.g., change your email address), please contact our support team at [email protected].

   Access/Deletion. If you wish to delete your personal data that we process or request to provide you with a copy of your personal data, please contact us at [email protected].

   Opt-out. If you wish to unsubscribe from our marketing communication, you can opt-out at any time by clicking the "unsubscribe" link at the bottom of each email or contacting us at [email protected].

   If you do not agree with the processing of your personal data by Nord, please do not use our Services and Website. You can request us to discontinue processing your personal data, in which case your data will be processed only as much as it is necessary to affect the discontinuation of your use of the Services (e.g., final settlement or deleting all personal data), or finalizing other our legal relationship with you (e.g., record keeping, accounting, processing refunds). Please note that we or our third-party service providers may be obliged to retain your certain personal data as required by law.

   If you are using Nord Services as an End User and you want your personal data to be no longer processed by us, you should contact your organization that granted you access to our Services.

   To raise any other questions, concerns, or complaints about our privacy practices or about our processing of your personal data, please contact us as provided below (Section "Contact Us").

   Other communication means. When you contact us to inquire about our Services, we process your full name, email address, entity’s information you contact on behalf of (if provided), and/or other information you provide us with.
6. DATA SECURITY

   We maintain tight controls over the personal data we collect. Our dedicated IT security team has implemented appropriate physical, technical, and organizational measures to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, or access and against all other unlawful forms of processing:

   Physical Measures. We control access to our facilities with access cards. We also use security alarm systems and CCTV. We store devices with personal data information only in locked rooms or cabinets. Our printers are protected by access control measures. A clean desk policy is implemented.

   Technical Measures. We use layered defense with firewalls, anti-malware protection, intrusion detection, and prevention systems. Our infrastructure is regularly updated and regular vulnerability scans are in place to detect possible vulnerabilities. We have security event and incident management solutions to correlate and investigate signals in security tools. Servers are hardened and automated configuration tools are used to manage them. All workplaces are managed from a centralized endpoint management tool. Data at rest and in transit are encrypted. Encryption protocols are used according to the newest security practices.

   Organizational Measures. We adopted information security and data processing policies according to best practices. We have external audits to prove our information security and data processing policies are up to standards. We adopted a constant development culture of security and data protection awareness among our employees (including organizing regular and ongoing training and other awareness activities). We analyze the threat landscape and attack surface and constantly update our security measures. Access to databases containing personal data is granted on a need-to-know basis.

   We maintain tight controls to protect information about you against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of processing. However, no company can guarantee the absolute security of internet communications as no technology is completely bulletproof. By using the Services and Website, you expressly acknowledge that we cannot guarantee the 100% security of personal data provided to or received by us through the Services and that any information received from you through the Website or our Services is provided at your responsibility. If you have any reason to believe that your interaction with us is no longer secure, please notify us at [email protected].
7. DATA RETENTION

   Nord will retain End Users’ data in accordance with the Customer’s instructions.

   In cases when Nord acts as a data controller, it stores personal data only for as long as it is necessary for the original purpose of collection or legal requirements. We may also keep the information necessary for the execution of our legal rights, obligations, and fulfillment of our other duties (for example, bookkeeping).

   We determine the appropriate retention period for personal data based on the law requirements, the nature, and sensitivity of the personal data being processed, and the potential risk of harm from unauthorized use or disclosure. When we no longer have a legal ground to keep personal data, it will either be securely disposed of, or de-identified through appropriate anonymization means.

   For more information about specific retention periods, please reach out to us at [email protected].
8. COUNTRY-SPECIFIC PROVISIONS

   For users in European Economic Area ("EEA")

   If you are a resident of EEA countries, you can exercise your rights as provided in the European Union's General Data Protection Regulation ("GDPR") by contacting us at [email protected]. To comply with the GDPR, we have also implemented appropriate contracts for international transfers, on the basis of the standard contractual clauses approved by the European Commission and other international models as required by local law.

   For users in California

   If you are a California resident, you can exercise your rights as provided in the California Consumer Privacy Act ("CCPA") by contacting us at [email protected]. As per definitions in the CCPA, please note that Nord does not sell, share, lease, or rent your personal information.
9. MINORS’ DATA

   Nord does not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, please do not attempt to send any personal data about yourself to us. If we acknowledge that we have collected and processed personal data from a minor under the age of 18, we will delete that data as quickly as possible.
10. CONTACT US

    If you have questions, requests, concerns, or complaints about how your data is being processed or personal data processing practices, please contact us via [email protected], or by writing to us at the following address: Nord Security Inc., Americas Towers, 1177 6th Avenue, 5th FLR, New York, NY 10036, United States of America.

    On matters related to the processing of personal data, you may also contact our representative VeraSafe in the European Economic Area using the following details:

    • via this contact form: https://verasafe.com/public-resources/contact-data-protection-representative
    • via telephone at: +420 228 881 031
    • via the postal address at: VeraSafe Ireland Ltd., Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland.

    If you are located within the United Kingdom, you may also contact our representative VeraSafe in the United Kingdom:

    • via this contact form: https://verasafe.com/public-resources/contact-data-protection-representative
    • via telephone at: +44 (20) 4532 2003
    • via the postal address at: VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.
11. OTHER TERMS

    Limitation of Liability. To ensure the security of personal data, we apply various technical, physical, and organizational security measures; however, it is your responsibility to exercise caution and reasonableness when using the Services and Website. You will be personally liable if your use of the Services or Website violates any third-party privacy, any other rights, interests or any applicable laws. Under no circumstances is Nord liable for the consequences of your or your End-User’s unlawful, willful, and negligent activities, and any circumstances that may not have been reasonably controlled or foreseen.

    Links to other websites. Our Website may include links to other websites (e.g., social media websites) whose privacy practices may be different from ours. If you access any of those websites via such links and/or submit your personal data to any of those websites, your personal data is processed by the procedures established by those third parties and governed by their privacy policies. We encourage you to carefully read the privacy policy (or other respective privacy notices) of any website you visit.

    Updates to the Privacy Policy. We develop our Services and Website by introducing new features or modifying current ones constantly. You are expected to check this Privacy Policy regularly so that you are familiar with the most current wording of the Privacy Policy. Your continued use of the Services and Website will be deemed acceptance thereof.