View the most recent archived version.
Version 4.0 — Updated December 5th, 2023
Recorded Future is the world’s most comprehensive and independent threat intelligence cloud platform. It enables organizations to identify and mitigate threats across cyber, supply-chain, physical, and fraud domains. It is trusted by organizations to provide real-time, unbiased and actionable intelligence.
I. POLICY APPLICATION
- SecurityTrails, LLC
- Regemini, LLC
- Gemini Advisory, LLC
- Recorded Future LLC
- The Record by Recorded Future LLC
- RF Ultimate Parent, Inc.
- when you apply for a job with Recorded Future; or
- in the course of your employment with, or otherwise rendering services to, Recorded Future, whether as an employee, independent contractor, consultant or similar.
II. PERSONAL INFORMATION WE COLLECT – SOURCES AND CATEGORIES
Our business focuses on collecting threat intelligence data from, or about, threats for security purposes. Generally, this data does not typically contain information that relates to, or could be used to identify an individual, or be linked with a particular individual or household.
We collect personal information when you visit our Sites and through your interactions with us. For example, when you request information about our Services, when you use our Services (such as submitting queries, performing analysis, or annotating results), subscribe to or read our published content through the Sites, listen to or subscribe to our podcast, indicate your interest in receiving marketing or other materials through our Sites, use our mobile application, provide us with your information to register for, or while at, a conference, event, or webinar, participate in our Community of Practice, when you request product support, or when you voluntarily provide information to us through our Sites or via email or telephone. We also collect personal information from our LinkedIn page and our other social media presences, from third-party commercial sources of personal information, and from publicly available sources including the dark web and open source intelligence.
For more information about our security measures to protect this information, please refer to our Information Security FAQ.
The categories of personal information we may collect include the following:
Personal identifiers: Name; email, physical or billing addresses; social media handles; telephone numbers; IP address; account number and passwords;
Internet or other electronic activity information: Device, operating system and browser information; information regarding your interaction with our Sites; URLs of the pages you visit; mobile application data; logs of browser extension queries and other usage data;
Professional information: Name of current employer or company you represent and position(s) you hold; additional professional information you provide to us or post or share with our community;
Financial information: credit/debit card information, bank details;
Commercial information: Information about queries, analysis, or annotating results that users create by utilizing the Services.
Additional information: We may collect additional categories of personal data that threat actors, and others, have collected and posted to the dark web or other publicly available sources. We collect such data through our threat intelligence tools. We cannot control or predict the categories of such personal information we may index through our threat intelligence activities, because the contents of such data are dependent upon what external third parties, such as threat actors, may post.
This means that much of the information will relate to high profile people, companies or events (e.g., the President of the United States, CEOs, cybersecurity experts etc.), but it can include information about just about anyone – if that information is in an available source online.
Information Included in Queries: Recorded Future offers both free-text search, and sandbox submission functionality, so any personal information included by you in such searches or sandbox submissions may be processed by Recorded Future.
A sandbox end user may upload a file that contains personal information, to include a broader range of personal information than those listed above, however the malware analysis processes the personal data in a manner incidental to the analysis of the file. The public sandbox option does store those analyzed files in a manner that is viewable to other public sandbox users.
Cookies and Other Technologies
III. HOW WE USE YOUR INFORMATION
Recorded Future only processes personal information in a way that is compatible with and relevant to the purpose for which it was collected or authorized. As a general matter, for the categories of data described in Section III above we may use your personal information to:
To provide our Services to you or your organization, including: (i) providing access to certain areas, functionalities, and features of our Services; (ii) communicating with you about your account, issues with the Services, account support, security notifications, activities on our Services and policy changes; and (iii) providing access to other content, such as our podcasts. To allow you to register for and attend events, conferences, webinars etc. and to provide you with materials and information (e.g., white papers) you request from us.
To engage in direct marketing activities with you or your organization, including, but not limited to, to send you surveys, newsletters, offers, promotions, contests, and events and to keep you up to date on our Services or to ask you about your experience with our Services.
To understand your actions, behaviors, preferences, expectations, and feedback in order to improve our products and Services, develop new offerings and Services, and to improve the relevance of offers of products and Services by us, to implement settings changes you make.
To ensure network and information security, and compliance with applicable law, including monitoring access to our Services for the purpose of preventing cyber-attacks, unauthorized use of our systems and Sites; export control; prevention or detection of fraud, crime and protection of your personal information.
To enable any due diligence and other appraisals or evaluations for any actual or proposed merger, acquisition, financing transaction or joint venture we or our affiliates may consider.
To defend and enforce our rights including, against legal claims that involve us or our affiliates, and to manage regulatory matters, investigations, data breaches, and/or data subject requests.
To comply with a legal obligation.
To respond to your inquiries and take action on your requests when you contact us through the Sites or by other means.
To pursue our legitimate interests to operate and improve our business.
To populate our Intelligence Cloud, Recorded Future processes the intelligence referenced above for certain legitimate business purposes, which may include (but is not limited to) the following:
- Empowering organizations to remediate compromised credentials;
- Locating data that may have been breached or leaked online;
- Tracking vulnerabilities and exploits targeting our customers;
- Providing enrichment for data logs and security infrastructure; and
- Enabling organizations to better research threats.
We analyze threat intelligence to better protect the organizations that use our service, and we believe this makes technology (and the world) more secure.
When we process personal information for our legitimate interests, we make sure to consider and balance any potential impact on potential data subjects and their rights under data protection laws.
IV. COLLECTIVE INSIGHTS AND QUERY DATA
Generally, Recorded Future uses query data in one of two ways -
i) Recorded Future uses this data to provide our services to our customers, this includes everything from returning the query results to providing the search history feature and sending out alerts as configured by users; and
ii) Recorded Future uses unattributed Customer Data to develop & improve our offerings. These improvements may include but are not limited to providing a signal to our teams regarding what type of data to improve, what research to pursue, insight into trends, data enrichment, and potential feature improvements.
Further, Recorded Future may index metadata from security events generated through Collective Insights integrations to create correlations. When used on the Recorded Future Platform, this metadata will be devoid of attribution to their original sources.
Recorded Future may share certain parts of this unattributable data with independent third parties for permissible business purposes.
V. DISCLOSING YOUR INFORMATION FOR BUSINESS PURPOSES
The categories of personal information and the corresponding business purpose that we disclose to third parties are:
Personal identifiers to service providers that provide customer relationship management services; assist us in operating, analyzing, and displaying content on our Sites; provide analytics information; provide website hosting, webcast, event/conference services; track email open rates and provide email alert services; provide advertising and marketing services; provide payment processing services.
Internet or other electronic network activity information to service providers that provide data security services and cloud-based data storage; host our Sites and assist with other IT-related functions; assist us in operating, analyzing, and displaying content on our Sites; provide analytics information; provide advertising and marketing service.
Employer and other professional information to service providers that provide customer relationship management services; assist us in operating, analyzing, and displaying content on our Sites; assist us in providing webcast and event/conference services; provide advertising and marketing services.
Financial information to service providers that provide payment processing services.
Additionally, we may also share personal information:
With our affiliates, accountants, attorneys, advisors, affiliates, subsidiaries, outsourcers and third party service providers to provide and administer our offerings, and exercise our rights;
As required or permitted by law to comply with a subpoena or similar legal process or government request, or when we believe in good faith that disclosure is legally required or otherwise necessary to protect our rights and property or the rights, property or safety of others, including to law enforcement agencies, and judicial and regulatory authorities;
With third parties to help detect and protect against fraud or data security vulnerabilities;
To a third party in the event of an actual or contemplated sale, merger, reorganization of our entity or other restructuring.
VI. DATA SUBJECT PRIVACY RIGHTS
Depending on your location, you may have certain privacy rights under the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), or other applicable laws.
These rights may include the following:
Right to Know
At your request, to the extent required under applicable law, we will disclose the following, limited to what we have collected (to the extent we are able to identify):
Specific pieces of personal information we have collected about you;
Categories of personal information we have collected about you;
Categories of sources from which such personal information was collected;
Categories of personal information that the business sold or disclosed for a business purpose about you;
Categories of third parties to whom the personal information was sold or disclosed for a business purpose; and
The business or commercial purpose for collecting or selling your personal information.
The Right to Delete
At your request, to the extent required under applicable law, we will delete the personal information we have collected about you, unless such applicable laws authorizes or requires us to retain specific information.
The law may authorize us to retain such information:
- When it is necessary for us to provide you with a good or service that you requested;
- To perform a contract we entered into with you;
- To maintain the functionality or security of our systems;
- To comply with or exercise rights provided by the law.
Applicable law may also permit us to retain specific information for our exclusive internal use, but only in ways that are compatible with the context in which you provided the information to us or that are reasonably aligned with your expectations based on your relationship with us. We will act on your deletion request within the timeframes required by applicable law.
Right to Opt out of Sale or Sharing
You may direct us not to sell your personal information by submitting an opt-out request to privacy [at] recordedfuture [dot] com. We will act on your request within the timeframes set forth under applicable law.
Right to Correct
To the extent required under applicable law, you may request that we correct inaccurate information that we have about you.
Right to Limit Use/Disclosure of Sensitive Information
To the extent required under applicable law, you may request that we only use your sensitive personal information for limited purposes, such as providing you with the Services you requested.
To the extent permitted under applicable law, you may designate an agent to submit requests on your behalf.
If you would like to designate an agent to act on your behalf, you and the agent will need to comply with our verification process.
Requests to Know or Delete Personal Information: If the agent submits requests to access, know or delete your personal information, the agent must provide us with your signed permission indicating the agent has been authorized to submit the request on your behalf. We also require that you verify your identity or confirm that you provided the agent with permission to submit the request.
Requests to Opt Out of Sale: If the agent submits a request to opt out of the sale of your personal information, the agent must provide us with your signed permission demonstrating you authorized the agent to submit the opt-out request on your behalf.
This subsection does not apply when an agent is authorized to act on your behalf pursuant to a valid power of attorney.
Note: Under CCPA, the agent must be a natural person or a business entity that is registered with the California Secretary of State.
How to Exercise Your Rights and How We Will Respond
To exercise any of the rights above contact us at +1-888-914-9661 or privacy [at] recordedfuture [dot] com
Generally, except to the extent otherwise required under applicable law, we will within 10 business days acknowledge receipt of requests for access to or deletion of data. We will respond within 45 days from when we receive your request, although we may be allowed to take longer to process your request under certain circumstances.
If we expect your request is going to take us longer than normal to fulfill, we will let you know.
We respond to requests free of charge, but we may charge a reasonable fee for administrative costs in certain situations. In some cases, the law allows us to refuse certain requests.
Verification of Identity – Access or Deletion Requests
We will ask you for identifying information and attempt to match it to information that we maintain about you.
If we are unable to verify your identity, we will not respond to your request other than to notify you that we could not verify your identity.
Under certain circumstances, California and EU/UK/Swiss residents may be permitted to submit aforementioned privacy requests through designated third-party agents. Those third-party agents must still abide by Recorded Future’s identity verification process.
IX. INTERNATIONAL DATA TRANSFERS
Some of our Services are hosted in the United States. Therefore, when you disclose personal information to us, we may transfer personal information to the US.
If you are located in the EEA/UK, we may, for the purposes listed in Section III, transfer your personal information to recipients listed in Section V, that may be located in countries outside the EEA/UK, including the US. If the European Commission and/or the United Kingdom considers data protections inadequate in such recipient countries we will take steps to protect the personal information by entering into Standard Contractual Clauses with the recipient parties, or otherwise relying on a derogation for the transfer (e.g., where the transfer is necessary for the defense of legal claims).
To the extent required under applicable law, you can request further information on the data transfer solutions relied upon, including a copy of the Standard Contractual Clauses by using the contact details below.
Self-Certification to the Data Privacy Framework (DPF)
Recorded Future complies with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF as set forth by the US Department of Commerce. Recorded Future has certified to the US Department of Commerce that it adheres to the EU-US Data Privacy Framework Principles (EU-US DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-US DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-US DPF.
In compliance with the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF (together, the “DPFs”), Recorded Future commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPFs should first contact us by emailing privacy [at] RecordedFuture [dot] com or via mail to: Recorded Future, 363 Highland Avenue Somerville, MA, 02144, USA, Attn: Data Protection Officer. Except as otherwise required under applicable law, we will respond to your inquiry within 30 days of receipt and verification of your identity.
In compliance with the DPFs, Recorded Future commits to refer unresolved complaints concerning our handling of personal information received in reliance on the DPFs to JAMS, an alternative dispute resolution provider based in the United States.
If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
The Federal Trade Commission has jurisdiction over Recorded Future’s compliance with the EU-US Data Privacy Framework (EU-US DPF) and the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework (Swiss-US DPF). We may be required to disclose personal information we receive under the EU-US DPF, the UK Extension to the EU-US DPF, and the Swiss-US DPF in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Recorded Future is liable for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. Recorded Future shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Recorded Future proves that it is not responsible for the event giving rise to the damage.
XI. DATA RETENTION
We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for satisfying any legal, cybersecurity, accounting or reporting requirements. To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal information together with the necessity and purposes for the processing (including, whether such purposes can be achieved through other means) and the potential risk of harm from unauthorized use or disclosure of the personal information.
For more information about applicable retention periods, please review the Security FAQ Page.
XII. SECURITY OF YOUR INFORMATION
XIII. CHILDREN’S INFORMATION
The Services are not directed to children under 13 years of age (or other age as required by local law), and except to the extent authorized by applicable law, we do not knowingly collect or sell personal information from children. If you learn that your child has provided us with personal information without your consent, you may contact us as set forth below.
XIV. OTHER PROVISIONS
Our Sites may contain social media buttons or links to third-party websites, which may have privacy policies that differ from our own. We are not responsible for the activities and practices that take place on those social media platforms or third-party websites. We recommend that you review the privacy policies posted on any platform or website that you may access through our Sites.
We are committed to ensuring that our communications are accessible to people with disabilities. To make accessibility-related requests or report barriers, please contact us at notices [at] recordedfuture [dot] com.
Mobile App Users
As with the website, when you interact with the mobile app, we collect information about your use of the app and other information about your device. When you download the mobile app from an app store, you may also be sharing information with the app store provider subject to the provider’s own privacy policies.
In addition, Recorded Future also collects crash data. If your app suffers a crash, it will send telemetry data back to Recorded Future through third-party services (such as, Sentry.io) and through the app store you used when you downloaded the app.
If you have any questions regarding the information collected through the mobile app, please contact privacy [at] recordedfuture.com.
Attn: Data Privacy Officer
363 Highland Avenue
Somerville, MA 02144 USA