As required by law (Article 13 of Regulation (EU) 2016/679, hereinafter GDPR), Rexilience S.r.l., in the person of the legal representative pro tempore, provides the users who visit the SCORE website, reachable at the address https://www.my-score.is/ (below “Site”) the information regarding the processing of their data.
Before using the Site, we invite you to read the “Terms and Conditions – SCORE” at the link https://www.my-score.is/terms-and-conditions/.
1. Data Controller
The Data Controller is Rexilience S.r.l., VAT No. IT12011490963, with registered office in Corso Venezia, 54 – 20121, Milan, Italy (hereinafter the “Data Controller” or “Rexilience”).
To receive information regarding the processing, you can write to: privacy@rexilience.eu.
2. Scope
This Privacy Policy applies to the processing, carried out by Rexilience, of personal data related to users of the SCORE site who, through creation of a specific account, use the service to (i) scan for vulnerabilities in their own organization’s information systems or (ii) assess vulnerabilities in the information systems of third parties, hereinafter jointly referred to as the “Users.”
3. Categories of data
The data processed include navigation data, identification data, and contact data provided by the User when filling out the SCORE questionnaire(“Questionnaire“), as well as additional data provided later through the restricted area or the special functions dedicated to authenticated Users.
3.1 Browsing data: The computer systems and software procedures used to operate the Site acquire, during their normal operation, some personal data whose transmission is implicit in the use of Internet communication protocols.
This information is not collected to be associated with identified interested parties, but which by its very nature could, through processing and association with data held by third parties, allow Users to be identified.
This category of data includes, but it is not limited to the IP addresses or domain names of the computers used by Users who connect to the site, the addresses in URI (Uniform Resource Identifier) notation of the resources requested, the time of the request, the method used in submitting the request to the server, the size of the file obtained in response, the numerical code indicating the status of the response given by the server (successful, error, etc.) and other parameters relating to the User’s operating system and computer environment.
3.2 Data voluntarily provided by the user: This category includes all personal data voluntarily provided by the User. In particular, the identification and contact data provided by the User when accessing the Site, by filling in the appropriate questionnaire, which may also require the inclusion of data of other individuals belonging to the User’s organization, as well as additional data provided, even subsequently, through their own reserved area or the special functions dedicated to authenticated Users, are processed.
3.3 Information captured through cookies and other tracking systems: The site uses technical cookies, which are session (non-persistent) cookies necessary for safe and efficient navigation of the sites.
4. Purpose and legal basis for processing
Personal data collected through the Site are processed for the following purposes and legal bases:
- a) To take pre-contractual measures or execute a contract at the request of the User (Art. 6(1)(b) GDPR): The personal data provided by the User in an optional manner are used only to carry out the requests made by the User. In particular, personal data are used to enable the User to access the Site and take advantage of the services reserved for authenticated Users and proceed with the completion of the questionnaire, as indicated in the Terms and Conditions – SCORE (https://www.my-score.is/terms-and-conditions/), to which reference is made.
- b) Consent of the data subject (Art. 6(1)(a) GDPR): If expressly consented to, the identification and contact data may be processed for sending advertising or direct sales material or for carrying out market research or commercial communication of the activity and services offered by the Owner through traditional means, such as telephone contact with operator, as well as automatic means, such as e-mail (including through newsletters) or sms; it should be noted that any consent given for the sending of commercial and promotional communications, on the basis of Article 130, paragraphs 1 and 2, of Legislative Decree 196/2003 (“Privacy Code”), implies the receipt of such communications not only through automated means of contact (sms, email and other messages), but also through traditional means (such as paper mail or operator calls). Consent may be revoked, even separately for the different purposes, at any time, without prejudice, however, to the lawfulness of the processing carried out before said revocation.
- c) Legitimate interest of the Owner (Art. 6(1)(f) of the GDPR): Browsing data are acquired to enable proper navigation on the website, for security purposes and to check its proper functioning, and could be used to establish liability in the event of any computer crimes against the website. The data provided by the User may be used against the legitimate interest of the owner to carry out defensive activities or assert or defend a right in court. Finally, may be used the data provided by the User through the completion of the Questionnaire, in aggregate form, for scientific research purposes for the sole purpose of improving the service offered to the owner.
5. Nature of data provision and consequences in case of refusal
Providing data for the purposes indicated in this Privacy Policy is not mandatory.
However, failure to provide such data, even partially, will not allow the User to take advantage of the services offered and to establish any contractual relationships.
It should also be noted that failure to provide or revocation of consent for the analysis of interests and/or for carrying out commercial and promotional activities will not allow us to update the User on news, offers or initiatives promoted by Rexilience.
6. Methods of data processing, period and place of storage
Users’ data are processed, through the computer systems and programs used by Rexilience, within the limits of what is strictly necessary to achieve the indicated purposes and, in any case, so as to minimize the processing of identification and contact data.
Adequate security measures are taken to prevent data loss, illicit or incorrect use, and unauthorized access.
Data are stored in electronic files located at the Data Controller’s headquarters and at servers controlled by the Data Controller and in any case located in the European Economic Area.
The personal data provided by Users who intend to use the SCORE service will be kept for the entire duration of the contractual relationship and, after the termination of the same, only for the time necessary to ensure the fulfillment of all legal obligations.
The navigation data of Users accessing the Site are acquired and stored for 18 (eighteen) months and in any case according to legal obligations.
The data acquired with the consent of the User and processed for the purpose of sending the newsletter and/or commercial communications will be retained for 24 months and in any case until such consent is revoked.
Once the retention period has expired, the personal data will be destroyed, deleted or anonymized, consistent with the technical procedures for deletion and backup, subject to any defensive needs for which the data may be retained beyond the periods indicated.
7. Data recipients
The data will also be processed by the Owner through authorized personnel.
The data will be known to the companies that the Data Controller uses for the provision of hosting services and management of electronic mail connected to the website, companies that provide assistance and maintenance of the computer systems used, resellers, consultants for the management of litigation and legal assistance in the event of any disputes for which their involvement is necessary. The data may also become known to the competent Authorities in case of specific requests that the owner is required by law to follow up.
It should be noted that some of the subjects indicated operate as Data Processors, pursuant to Art. 28 GDPR, while others as autonomous data controllers. In the latter case, the communication of data is made because (i) prescribed by legal obligations, (ii) necessary to give effect to obligations arising from a contractual relationship or (iii) responding to the legitimate interest of the owner to maintain the security of information systems and to carry out defensive activities through legal advisors.
In any case, communication is limited to the categories of data whose transmission is necessary to achieve the stated purposes.
The data subject may request from the Data Controller the list of external subjects who carry out their activities as Data Processors.
8. Rights of interested parties
Users of the Site may, at any time, exercise the rights granted to them by Articles 15 et seq. of the GDPR.
In particular, the User may exercise:
- Right of access: you may request information from us regarding the processing we perform on your data or confirmation that we process your personal data. In this case, you may request that we provide you with copies of your data by e-mail and verify any data we may hold.
- Right of rectification: you may rectify your personal data if it is incorrect (e.g., because it is different from the data you provided when completing the report), including the right to request the integration of incomplete data.
- Right to erasure: you may request us to erase the data (or part of the data) you have provided to us.
- Right of restriction: you may request us to restrict the processing of your personal data if the legal circumstances apply.
- Right to portability: you may ask us to obtain, in a structured, commonly used and machine-readable format, the personal data you have provided to us and to transmit it to another data controller designated by you.
- Right to object: you may object at any time, on grounds related to your particular situation, to the processing of your personal data, including profiling and, in such case, we will refrain from further processing of your personal data unless our overriding legitimate interests exist. Should you object to processing for any marketing purposes, we may no longer process your data for such purposes.
- Revocation of consent: in all those cases in which the processing finds its legal basis in the User’s consent, the User may revoke it at any time, without prejudice, however, to the lawfulness of the processing carried out prior to said revocation.
- Right to file a complaint with the Guarantor: without prejudice to any other administrative or jurisdictional recourse, the User may file a complaint with the Guarantor for the Protection of Personal Data, following the procedures and directions published on the Authority’s official website available at www.garanteprivacy.it
At any time, you may exercise the above rights by contacting the following e-mail address: privacy@rexilience.eu.
9. Changes and updates to the Privacy Policy
A copy of the most current version of this policy is made available on the Site at all times.
Date last updated: October 30, 2024