Privacy Policy

Brightfly’s  most important asset is our relationship with our community. The Consensus Controls Project [the “Project”] is a direct result of this relationship and reflects our commitment to providing unique and valuable resources back to our community.

Brightfly, as the steward of The Project, is committed to maintaining the confidentiality, integrity and security of any personal information about our individual users or the organizations they represent [“Users”]. We are proud of our privacy practices and want you to know how we protect your information and use it to provide the community services on ConsensusControls.org (the “Service”).

Your Privacy is not for sale

Simply put, we do not and will not sell or rent your personal information to anyone, for any reason, at any time. We collect the e-mail addresses of those who communicate with us via e-mail, aggregate information on what pages, controls, etc. are accessed or visited, and information volunteered by the Users (such as survey information and/or site registrations). The information we collect is used to improve the content and experiences of the Service, and is not shared with or sold to other organizations for commercial purposes.

When you visit ConsensusControls.org, we may collect technical and navigational information, such as browser type, Internet protocol address, pages visited, and average time spent on the Project site. This information may be used, for example, to alert you to software compatibility issues, or it may be analyzed to improve our Web design and functionality.

We may use third party service providers to help us analyze certain online activities. For example, these service providers may help us measure the performance of our online campaigns or analyze visitor activity on the Service. We may permit these service providers to use cookies and other technologies to perform these services for the Project. We do not share any personally identifiable information about our customers with these third party service providers, and these service providers do not collect such information on our behalf. Our third party service providers are required to comply fully with this Privacy Policy.

Your Registration Information is kept private

The Project does not sell or rent your Registration Information at any time.

The Project uses your Registration Information only as follows:

• to analyze site usage and improve the Service;
• to deliver to you any administrative notices, alerts and communications relevant to your use of the Service;
• to fulfill your requests for certain products and services;
• for research, project planning, troubleshooting problems, detecting and protecting against error, fraud or other criminal activity;
• to enforce the Project’s Terms of Use; and
• as otherwise set forth in this Privacy Policy.

Access to your registration information and your organization’s control data is strictly restricted to Brightfly employees and contractors, as needed, in order to operate, develop or improve this valuable community project. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

Affiliated service providers will not be given your personal information without your permission

Although Brightfly currently does not have a parent company, any subsidiaries, joint ventures, or other companies under a common control (collectively, "affiliates"), it may in the future. Brightfly may share some of all of your data with these affiliates, in which case we will seek to require our affiliates to honor this Privacy Policy.

There are a number of separate products and services offered by third parties that utilize the Service that may be complementary to your use of the Project (e.g., consulting firms, software product companies, etc.). If you choose to use these separate products or services, disclose information to the providers, and/or grant them permission to collect information about you, then their use of your information is governed by their privacy policy. You should evaluate the practices of external service and product providers before deciding to use their services. These third party organizations may have different privacy policies than The Consensus Controls Project and Brightfly is not responsible for their privacy practices.

The Project may present links in a format that enables us to keep track of whether these links have been followed and whether any action has been taken on a third party Web site. We use this information to improve the quality of the Project and content on the Service.

Security

The Project uses industry standard security measures to protect the loss, misuse and alteration of the information under our control. Although we make good faith efforts to store the information collected by the Project and services running on the Project Platform in a secure operating environment that is not available to the public, Brightfly cannot guarantee complete security.

Data Storage

Brightfly uses third party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the Project. Although Brightfly owns the code, databases, and all rights to the Project, you retain all rights to your data.

You can transport or delete your data

Your data is yours. You can remove it anytime you want. When you request us to delete your account for the Service, your personally identifiable registration information will be permanently expunged from our primary production servers and further access to your account will not be possible. However, portions of your data, consisting of aggregate data derived from your controls library, may remain on our production servers indefinitely. Your data may also remain on a backup server or media. The Project keeps these backups to ensure our continued ability to provide the Service to you in the event of malfunction or damage to our primary production servers.

Blogs and other Forums on ConsensusControls.org

If you use a forum, blog, or chat room on this Web site, you should be aware that any personally identifiable information you submit there can be read, collected, or used by other users of these forums, and could be used to send you unsolicited messages. We are not responsible for the personally identifiable information you choose to submit in these forums.

Promotions, Surveys, and Research Activities

From time to time, the Project may offer you the opportunity to participate in contests, giveaways and other promotions. Any information submitted in connection with such activities will be treated in accordance with this Privacy and Security Policy. From time to time, Brightfly may also ask you to participate in research surveys designed to help improve the Service and the community. Any personally identifiable information provided to Brightfly in connection with any survey will be used only in relation to that survey.

Brightfly may aggregate survey data and disclose such data only in aggregate and in a non-personally identifiable manner to further research into the governance, risk, and compliance activities of organizations around the world.

Such information does not identify you or your organization individually.

We comply with CAN-SPAM regulations for our newsletters

The Project sends only verified, double-opt-in e-mail newsletters, specifically requested by Service subscribers. Subscriptions to Project newsletters are verified by sending an e-mail confirmation to your e-mail address, which requires a positive response before an e-mail address is added to the Project’s list. The Project is fully compliant with the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.

Because we provide you the option of receiving our newsletters, Service subscribers have the ability to opt-out of receiving these newsletters by emailing us at security@consensuscontrols.org. We also will send Service users service-related emails which they do not have the ability to opt-out of.

Changes of ownership

In the event of a change in ownership, or a merger with, acquisition by, or sale of assets to, another entity, we reserve the right to transfer all of the Project’s data, including email addresses, to a separate entity. Should such a transfer occur, we will use our best efforts to require that the new combined entity follow this privacy policy with respect to your personal information, as and to the extent required by applicable law and require that you receive prior notice if your personal information could be used contrary to this policy. Users may choose to modify their registration information at that time. This means if you are concerned about your data migrating to a new owner, you can deactivate your account.

Changes

If we decide to change our privacy and security policy, we will update the date upon which this policy, including those changes became effective from at the top of this policy and post those changes to this policy, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it.

We reserve the right to modify this policy at any time, so please review it frequently.

Questions

Any questions about this Privacy Policy should be addressed to info@ConsensusControls.org or by mail at: