Trillion Application Privacy Policy

Trillion Application Privacy Policy

Your privacy is important to us. It is Threat Status Limited’s policy to respect your privacy regarding any information we may collect from you across our website, http://www.threatstatus.com, and other sites we own and operate. Details of data we collect and used for delivering service are:

Trillion portal administrators

Customer administrators are set up to administer the Trillion service for the customer organisation. Personal data we need to setup and maintain customer administrator profiles includes email address, name, job role, phone number, a chosen password and postal address. We collect this data for the purposes of delivering our service to you, including sending reports, service notification, billing requests and requests for customer feedback.

We also use this information for the purposes of sending information on Threatstatus products enhancements and service additions that you may be interested in.

Trillion portal users

Trillion portal users are set up to receive alerts from Trillion services and can logon to the portal to view reports and analyse data. Personal data we need to setup and maintain Trillion portal user profiles includes email address, name, job role, phone number and a chosen password. We collect this data for the purposes of delivering our service, including sending reports and service notification.


Why we collect this information

We only ask for personal information when we truly need it to provide a service to you. We collect information by fair and lawful means, and we only collect data directly from you with your knowledge and consent. We also let you know why we’re collecting it and how it will be used. We never share information you have provided to us with 3rd parties without your agreement, or written consent of a 3rd party that they have your agreement.


Public data relating to you, your organisation and your organisation’s employees being collected and processed by Threat Status Limited

Threat Status Limited is a UK company who specialises in notifying its clients about cyber security threats to their organisations.

If you are a subscriber to our Trillion service or have requested a summary report then you are giving Threat Status permission to collect, store, search, analyse and report on data in the public domain relating to your organisation and we will use the information to generate alerts, reports and statistics relating to your organisation’s users, including threat scores and risk profiles. For our subscribers, this information can be shared with you and any of your customer portal users.

We will not share the information we find about your organisation or users with any third party without your explicit permission unless they are an authorised partner of Threat Status, and have confirmed to us that they have been authorised to provide security services on your behalf.

Threat Status may generate anonymous threat statistics for use in marketing, case studies and benchmarking purposes, however these will never reveal any details about the organisations we are monitoring or their users details.


Data we share with users of our service

During processing of publicly available information Threat Status may identify information relating to your organisation’s employees (identified by data attributes listed below). This data will be analysed and reported via the Threat Status Trillion portal to all users who have been granted accounts for your organisation. It is your Trillion administrators role to suppress alerts and data for users that are no longer employees or who do not give the organisation permission for Threat Status to monitor.

Data attributes that Threat Status will share with your organisations users of our service are limited to:

  • Email Address
  • Breach Source (where appropriate and not covered by Source Masking, detailed in the source masking section)
  • Threat Score (calculated from the breach data collection)

We will not under any circumstances expose passwords, security question answers or other personal details other than directly to the individual data owner (such as the individual associated with an explicit email address).

Users of our service should be conscious that the results generated by our service are covered by their own organisations privacy policies relating to employees, and that the reports and alerts generated by our systems should be treated with care.


Our policy on sharing data with 3rd parties.

We do not sell, share, or distribute your data to any 3rd parties, other than with our approved partners who wish to provide our service to you, on your behalf (such as managed service providers). When we enter into an agreement with a partner we will ensure that they commit to us to only use the information in an ethical way and that they have authorisation from you to provide our services to them as a partner.


Breach Data Collection

One of the core tenants of our service is the monitoring and alerting of breach data. Breach data by its very nature is data that has already been stolen or compromised and is now in the public domain, though it can be hard to find. Our services monitor for the release or trading of that data, and we look for data that matches our subscribers and notify them about it. Breach data can contain varying amounts of information from a single email address to a raft of other data points. When we find data we process it to extract the following information to help us match data relating to your users and explain the risk of this data being in the public domain:

  • Username
  • Email Addresses
  • Passwords
  • Password Hashes
  • Security Questions and answers
  • Address
  • Phone number
  • Date of birth
  • The source of the leak (when possible)

This information is broken down (tokenised) in order for us to evaluate its relevance and risk to an organisation.

Any other information that may have been contained is stripped and removed, so if information such as your credit card numbers, gender etc are included in the disclosed information we disregard that data as we have no use for it and it could be risky for us to keep it. This is beyond the scope of our service.


Source Masking

Whenever we obtain new data we try and identify where it came from so we can help our clients take any required mitigation steps. When we can determine the source we record that in our systems, but we may apply a privacy flag to it if we believe it could be considered special category dataunder the terms of GDPR. Definitions of this under GDPR include:

  • race
  • ethnic origin
  • politics
  • religion
  • trade union membership
  • genetics
  • biometrics (where used for ID purposes)
  • health
  • sex life
  • sexual orientation

We extend this list to mask anything that could be used to make a inappropriate characterisation of an individual, so we also mask data which could indicate an interest in:

  • Dating
  • Gambling
  • Debt and payday loans

When a data breach is found from a source that we believe could reveal this type of information the source is withheld by anyone accept the verified individual affected.

How long do we keep breach data?

We keep breach data indefinitely. We do this because its already publicly available and its useful for us to compare new data with old looking for patterns which could indicate an increase in risk for an organisation.


Your rights to the data?

If you want us to delete breach data about your organisation you can request in writing via email to [email protected] and we will delete it from our indexes, but you need to consider carefully that request. The only reason we have data relating to your organisation in our databases is because it was already stolen and made public. If we remove your data we can no longer notify you about it, but it is still in the hands of others who are most likely unethical.

If you want to request what data we have on you as an individual, you can request in writing to [email protected] providing your specific email address and we will share with you what credential records we have found about you. We will provide you with the raw data only. Enriched and analysed data is already available to subscribers in our portal.


Concerns

If you have any concerns about the way we are collecting or using your data you should raise your concerns with us in the first instance or directly to the Information Commissioner’s office at https://ico.org.uk/concerns .


Approval

By accepting our privacy policy you are agreeing that Threat Status can collect data about your organisation which is in the public domain, process it and produce reports, alerts and analysis relating to cyber threat.

You also agree that Threat Status may contact you about product enhancements and additional service offerings, but also that you can opt out of being contacted about this information at any time.