SecurityMetrics Privacy Policy


SecurityMetrics, Inc. is aware of the privacy concerns of its customers. Our policy for collecting and using personal information is detailed below.

EU-US Privacy Shield & Swiss-US Privacy Shield

This Privacy Policy describes how SecurityMetrics collects, uses, and discloses certain personally identifiable information that we receive in the US from the European Economic Area (“EEA Personal Data”).

SecurityMetrics recognizes that the EEA has established strict protections regarding the handling of EEA Personal Data, including requirements to provide adequate protection for EEA Personal Data transferred outside of the EEA. To provide adequate protection for certain EEA Personal Data about Customers received in the US, SecurityMetrics has elected to self-certify to the EU-US Privacy Shield Framework administered by the US Department of Commerce (“Privacy Shield”). SecurityMetrics adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability.

SecurityMetrics also complies with the Swiss-US Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of personal information from Switzerland.

For purposes of enforcing compliance with the Privacy Shield, SecurityMetrics is subject to the investigatory and enforcement authority of the US Federal Trade Commission. For more information about the Privacy Shield, see the US Department of Commerce’s Privacy Shield website located at: To review SecurityMetrics’ representation on the Privacy Shield list, see the US Department of Commerce’s Privacy Shield self-certification list located at:

Information Collected

SecurityMetrics collects information about its Customers from third parties such as acquiring banks, merchant service providers, and independent sales organizations (collectively “MSPs”), with whom the Customer has a contractual relationship and through its website and related eCommerce services at several points. SecurityMetrics’ website is maintained in the United States of America. By using SecurityMetrics’ website, you freely and specifically give us your consent to export your personally identifiable information to the USA and store and us it in the USA as specified by this Privacy Policy. All information collected by SecurityMetrics is provided by the user, which in this case is the Customer.

  • SecurityMetrics may collect information related to user information of Customer contacts as part of the services performed for a Customer including name, email address, phone number, address, fax numbers, and other contact information related to the user.
  • Credit card data of the Customer may be collected and stored by SecurityMetrics. This data is stored in accordance with the PCI DSS.
  • SecurityMetrics also collects data related to a Customer’s data security as requested by the Customer when purchasing the services. This data includes answers to self-assessment questionnaires, vulnerability scan data, and which security services the Customer purchases.
  • SecurityMetrics allows Customers to add additional users to a Customer’s account. Customer agrees that SecurityMetrics may allow an MSP from whom it received Customer’s information to be added as an additional user on a user’s account with rights to make changes to the account.
  • SecurityMetrics collects information that is not personally identifiable to the user, such as referring URL addresses, time spent in certain areas of SecurityMetrics’ website, actions taken while on SecurityMetrics’ website, and origination of the user.
  • Certain information such as your IP address, browser type, domain names, and access times may also be collected.
  • To receive products and services sold or provided by SecurityMetrics, contact information is required for billing, communicating about the services, and to perform the services.

Information Usage

  • Part of SecurityMetrics services is to report certain Customer compliance with data security standards, and this reporting requires contact information of the Customer.
  • SecurityMetrics must be certified as an Approved Scanning Vendor in order to provide certain scanning services. Part of the agreement with the Payment Card Industry Security Standards Council (“PCI SSC”), the body that certifies Approved Scanning Vendors, requires SecurityMetrics to provide information requested by the PCI SSC.
  • SecurityMetrics may use the information collected to provide notifications regarding the Customer’s services, accounts, fulfillment of transactions, information about SecurityMetrics’ websites, service changes, special offers, legal notices, and newsletters.
  • Customers who provide information may receive email announcements regarding SecurityMetrics’ services from time to time.
  • SecurityMetrics may use the information and data submitted by users and customers for any other purposes related to SecurityMetrics’ business that are compatible with the purposes for which your information was collected by SecurityMetrics, including, but not limited to, conducting market research, improving its products and services, sending surveys, and notifying customers of product upgrades and updates, new products, special offers, seminars and conventions and any other changes within SecurityMetrics that may affect customers and users.

We process EEA Personal Data for the purposes stated above. SecurityMetrics will only process EEA Personal Data in ways that are compatible with the purpose that SecurityMetrics collected it for, or for purposes the individual later authorizes. Before we use your EEA Personal Data for a purpose that is materially different than the purpose we collected it for or that you later authorized, we will notify you and provide you with the opportunity to opt out.

Third parties with whom SecurityMetrics Shares Information

SecurityMetrics’ policy in relation to information collected through registration, testing, and/or any other means is to respect and protect the privacy and confidentiality of our users. SecurityMetrics does not disclose, rent, or sell email addresses, security test results, or any other information that we may receive to any third party, unless:

  • specifically requested by the customer;
  • requested or required by applicable credit card associations, acquiring banks, credit card processors, or merchant service providers with which SecurityMetrics has a contractual agreement;
  • in response to duly authorized information requests of governmental authorities or where required by law;
  • in connection with any legal proceedings where disclosure of such data has been requested or required;
  • to service providers to conduct customer surveys, research and analytics, marketing, and data enrichment; or
  • to an agent of SecurityMetrics acting on behalf of SecurityMetrics (e.g., for database hosting, data processing or mailing services). In this case, SecurityMetrics will make certain that the agent complies with the GDPR and Privacy Shield principles (as defined above) and our commitments in this policy.

Under certain circumstances, we may remain liable for the acts of our third-party agents or service providers who perform services on our behalf for their handling of EEA Personal Data that we transfer to them.

Access to Information

SecurityMetrics understands the importance of maintaining accurate information and thus SecurityMetrics allows Customers to update their information on SecurityMetrics websites through those websites. Customers may choose to remove information collected by SecurityMetrics by contacting us in writing at: SecurityMetrics, Inc., 1275 West 1600 North, Orem, UT 84057. SecurityMetrics will respond to the request within thirty (30) days.

SecurityMetrics retains information for as long as an account is active or as needed to provide the services requested by the Customer. SecurityMetrics will also retain information as needed to comply with legal or tax obligations, comply with industry regulations, resolve disputes, and enforce agreements.

Privacy Shield Questions or Complaints

You can direct any questions or complaints about the use or disclosure of your EEA Personal Data to us at We will investigate and attempt to resolve any complaints or disputes regarding the use or disclosure of your EEA Personal Data within 45 days of receiving your complaint. For any unresolved complaints, we have agreed to cooperate with our Independent Dispute Resolution Body, the EU Data Protection Authorities, who will resolve the issue within a reasonable timeframe. These EU Data Protection Authorities can be reached at:

Data Security

SecurityMetrics maintains reasonable and appropriate security measures to protect EEA Personal Data from loss, misuse, unauthorized access, disclosure, alteration, or destruction in accordance with the Privacy Shield.

Use of Cookies

SecurityMetrics uses cookies to track how you interact with our website. SecurityMetrics does not sell cookies information to third parties or track you outside of SecurityMetrics website.

Opt Out

Customers who do not wish to receive commercial information from SecurityMetrics may opt out of that email by following the instructions at the bottom of the email. Customers are not usually able to opt out of emails containing information regarding a Customer’s account, services, or transactions.

Binding Arbitration

Customer may have the option to select binding arbitration for the resolution of Customer’s complaint under certain circumstances, provided you have taken the following steps: (1) raised your compliant directly with SecurityMetrics and provided us the opportunity to resolve the issue; (2) made use of the independent dispute resolution mechanism identified above; and (3) raised the issue through the relevant data protection authority and allowed the US Department of Commerce an opportunity to resolve the complaint at no cost to you. For more information on binding arbitration, see (


This privacy policy may be amended from time to time consistent with the requirements of the Privacy Shield Principles. We will post any revised policy on this website.


To access your information, ask questions about our privacy practices, request to limit the disclosure of your personal information, or issue a complaint, contact us at:

1275 W 1600 N
Orem, UT 84057

Effective Date: May 25, 2018

Scanning Abuse

SecurityMetrics, Inc., is a PCI Approved Scanning Vendor under certificate number 3707-01-08 and performs security assessment scans within the guidelines of the PCI data security initiative.


It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances. Users of SecurityMetrics scanning services are encouraged to add rules to their firewalls and inform their ISPs or hosting providers that security assessment scans may originate from the scanning locations listed in the table below. Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments, which leads to better security. If you have any questions, please contact SecurityMetrics Technical Support.

SecurityMetrics Scanners


Users of SecurityMetrics scanning services are required to consent to abiding by the Terms of Use before purchasing scanning services from SecurityMetrics. SecurityMetrics takes reports of abuse very seriously and works with ISPs, hosting providers, and other organizations to ensure that any abuse is dealt with in a timely and appropriate manner.


Do you believe some form of SecurityMetrics scanning service abuse is occurring?
Please email us (

We are excited to work with you.


Thank you!

Your request has been submitted.