The website you are visiting is developed by Secure Practice AS (org.nr. NO 919 420 197) to market and sell our own products and services. The following privacy policy applies to your use of our online services, including both this website, our exercise web app, and other interactions with us which you do as an individual, not already covered by a data processing agreement with the organization you are employed at.
Our basic attitude is that we want to process as little information about identifiable individuals as possible. At the same time, we want to offer relevant information and contact to those who request this, and to use anonymous data for analytics and further development of our own services.
The following applies when using our online services:
Responsibility
Secure Practice, under supervision by our Chief Executive Officer, is the data controller for our own websites, including public exercises, which we manage ourselves. Infrastructure is hosted by a third party, under a data processing agreement between Secure Practice and our data processor, which specifies how our data shall be processed and protected at this level. The agreement ensures that – along with technical measures – the data shall only be processed upon our instructions, that they shall only be processed in the EU/EEA, and that they shall only be accessed by Secure Practice employees, yet always only on a need-to-know basis.
Statistics
Secure Practice collects deidentified information about visitors on our websites. This is done to allow us to analyze how our websites are used, so that we can develop and improve their contents and structure.
When you visit one of our websites, we store information about which pages are visited and at which time this happens, and which web browser is used. In addition, we process the IP address as required, but we only store a limited part of it for statistical purposes after making an approximate geographical lookup through using a local database.
In order to collect statistics, we use an internally operated statistics tool, which does not process or share data with external parties.
Cookies
The statistics tools we use store something called cookies on the device you are using. Cookies are used to identify your device aross page views, so that we can collect deidentified statistics as described above.
The video player will store cookies when you play an embedded video. Our service provider Vimeo will also store deidentified information about your nationality, duration of video play, and similar (privacy policy), but only upon your specific consent to enable embedded content when using our website.
We also store our own cookie ("spid") on your device, and this is today used in relation to any download of exclusive content or when you sign up for our services (see below).
You have full access to deny websites from storing cookies on your device, see allaboutcookies.org for more information (external site). Unless you do this, you have given your consent to our use of cookies. You can also activate the Do-Not-Track-setting in your web browser to partially avoid being tracked.
Exercises
If you sign up for an exercise session, and this is not facilitated under the governance of your employer, for instance in public settings with participations from many organizations, our data processing is based on the consent you give us at the time of sign-up.
As described during sign-up in these cases, data from such exercises, including your name, email address, phone number and data you provide as exercise input, are processed anonymously, and only for the purpose of completing the given exercise session, and are automatically deleted within 30 days.
In case a diploma is offered through this exercise, the diploma is made available on a unique link, which makes it possible to share on social media. Since this link becomes unavailable due to the deletion of your data after 30 days, you can download the diploma on your personal device within this time frame.
You can exercise your rights as a data subject according to GDPR, including access and erasure, by sending a request to: privacy@securepractice.no
Newsletter
If you sign up for our newsletter, we will store your email address. This address will not be shared with other parties, and is only used to send you relevant communications in a limited fashion.
You can be removed from our mailing list at any time by emailing us: privacy@securepractice.no
Contact form
If you contact us via our contact form, we store any relevant information you input to allow us to follow up on your request.
Unless you actively specify approval of additional use of your contact information, we will not use this information for any other purpose.
Other communications
Whenever you get in touch with us, either via email, phone or by other means, we exercise our legitimate interest to process these communication data with a purpose is to follow up on potential customers.
In relation to this, your contact details may be stored in our customer relations management (CRM) system for further follow-up, with our service provider HubSpot.
MailRisk
MailRisk allows you as an employee to contribute in stopping criminals who try to steal or destroy, by analyzing and reporting suspicious emails. Whenever you use the MailRisk button in Outlook or Gmail, any such use is governed by your employer and based on legitimate interest, combined with your voluntary use of the button.
The email you have open will be collected and analyzed by a Secure Practice robot. This may include the email subject, body content, attachments, sender and recipient addresses, message headers, technical metadata (such as timestamps and message identifiers), embedded links, and other content necessary for threat analysis. For Gmail, this constitutes Google user data accessed via Google APIs, and MailRisk does not access Gmail messages unless you actively choose to analyze or report an email using the add-on. If threats are found, you will receive notice about this within a few seconds. If you specifically request feedback on a suspicious email, a security analyst will check it and send you the results via email within short time.
The robot tries to remove any personal data before sharing your email with a security analyst, to keep your identity hidden unless strictly required. A suspicious email may after all contain personal data about you. If you report an email by accident, you can simply revoke it at any time, deleting any data collected on it. The data collected is used only to analyze emails for phishing, malware, fraud, impersonation, spam, and other security threats, to provide feedback to you or your organization, to enable optional analyst review, and to maintain, secure, and improve the MailRisk service, including through the use of anonymized or aggregated data. MailRisk does not use email data or Google user data for advertising or for any unrelated purposes. If you are the only one to analyze or report a particular email, and no threat was found, the contents of this email will automatically be deleted after a limited period of time.
Your personal data will never be sold to third parties. Reported emails can however be useful for fighting crime, and for this purpose will share anonymous or pseudonymized data with various entities, such as trusted security or threat intelligence partners. Data may also be shared, where necessary, with your employer or organization administering MailRisk, with Secure Practice personnel and authorized security analysts, and with trusted subprocessors and service providers operating under data processing agreements. Data may also be disclosed to authorities if required by law or necessary to prevent or respond to security incidents or abuse. To ensure MailRisk service quality, we collect anonymous statistics about use, general findings from analyzed emails, and data on errors which may occur.
All MailRisk communication is encrypted with HTTPS/TLS, and data is protected using appropriate technical and organizational security measures such as access controls, role-based access, and the principle of least privilege. Software is built and tested with security and privacy by design in mind, by Secure Practice. Personal data are stored within EU/EEA and are processed in accordance with written agreements, which for instance ensures a right to control vendors. Where possible, personal data is minimized, masked, or pseudonymized before further processing or sharing. We do all we can to protect your data. If however something bad should happen, we are obliged to notify your employer as soon as possible.
MailRisk’s use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including applicable Limited Use requirements.
If you have any feedback or questions, please contact your organization's IT staff.
Google User Data (Gmail Add-on)
This section specifically describes how the MailRisk Gmail Add-on accesses, uses, stores, and shares Google user data, in accordance with the Google API Services User Data Policy.
Data Accessed
| Scopes | Data |
| gmail.addons.current.message.readonly | Grants read access to the headers (Subject, From, Reply-To, Message-ID, etc.) of the single email the user has currently open. No other emails, inbox content, labels, or search results are accessed. |
| userinfo.email | The user's Google account email address, used to authenticate the user against their organization's MailRisk license. |
| userinfo.profile | The user's display name and locale setting, used to show the add-on interface in the correct language. |
| script.locale | The user's locale as reported by Gmail, used for precise language selection |
Data Usage
Google user data is used solely to provide the MailRisk email threat analysis service. Specifically: email headers from the currently open message are sent to the MailRisk backend for phishing, fraud, and malware analysis. The user's email address is used for license verification and to associate analysis results with the correct organizational account. Name and locale are used only for UI personalization. Google user data is never used for advertising, profiling, or any purpose unrelated to email security analysis.
Data Sharing
Email header data derived from Google APIs may be shared with your employer or organization administering MailRisk, with Secure Practice security analysts (when analyst review is requested), and with trusted subprocessors operating under data processing agreements. Anonymous or pseudonymized threat data may be shared with security and threat intelligence partners for the purpose of combating cybercrime. Google user data is never sold to third parties. All sharing is subject to the Limited Use requirements of the Google API Services User Data Policy.
Data Storage & Protection
All data is transmitted over encrypted HTTPS/TLS connections. Data is stored within the EU/EEA on infrastructure protected by access controls, role-based permissions, and the principle of least privilege. Secure Practice applies privacy and security by design practices and maintains written data processing agreements with all subprocessors.
Data Retention & Deletion
Email data is retained only for as long as necessary to provide the service. If a reported email is found to pose no threat and you are the only reporter, its content is automatically deleted after a limited period of time. You may request deletion of your data at any time by contacting your organization's IT administrator or Secure Practice directly. Upon a valid deletion request, personal data will be removed from active systems within a reasonable timeframe consistent with applicable law.
Questions?
Feel free to send us an email via privacy@securepractice.no or call us at (+47) 92 12 1337.