The Security CLTRe Toolkit use a variety of data - some is used for business logic (billing, invoicing), some is use for user management (allowing you access, fetching "your" data), and some is used for research (improving the tool/tech, benchmarking).
For billing, we collect and store information about you as a client of ours. Information we store include name, address, company name and contact information. If you are a paying customer, we also store a billing token from our payment processor Stripe. You can read more about the token and how Stripe handles credit card payments so we do not need to store any kind of credit card info here.
We keep this data on file as long as you are a client, and according to Norwegian law (up to ten years for financial data).
User management data
User management data is everything we need to handle your account. This data includes your username, your email address, your password and so forth. This also includes session tokens, cookie data and tracking data need for the application to work. The toolkit is built using third-party frameworks and back-ends, and these may also add their own session data.
We keep this data as long as you are a registered user on the system, and according to Norwegian law.
The Security CLTRe Toolkit is also a research project where we collect security culture data from around the world to build the benchmarking tool. The data we collect, and use, for research include:
- your answers to the assessments you take
- your action items, and their completion dates
- your rating and progress
- the industry, company size, company revenue and location
Only you have access to your own data - that means only you know what you answered, and why. The research project only get access to the actual answers given, and do not know (nor record) who gave the answers.
Example: Your answer to an assessment is 3 (Likert scale 1-5). Your own records store this data:
Record ID, UserID (You), QuestionID (the assessment), answer (your answer)
The research records shows:
Record ID, QuestionID, Answer, industry, country, company size, company revenue
This means that the research data is not pointing back at you. When you delete your profile, your data is deleted with you - only the research data is kept on file.
The same principle is applied to other research data we collect - it is collected without identification of the provider.
We keep the research data for as long as we need, as it provides valuable insights to the development of security culture over time, across borders, industries and organization sizes. This kind of data is what allows us to build the benchmarking tool.