Privacy Policy for IISRI®

Effective Date: 17 January 2026

1. Introduction

Independent information security rating institute (® IISRI® ®, "we", "our", "us") provides security and privacy services and reports to our customers. We are committed to safeguarding your privacy and protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your personal information, and outlines your rights in compliance with the New Zealand Privacy Act 2020 and the General Data Protection Regulation (GDPR). By using our website, applications, rating reports, and other services, you consent to the practices described in this Privacy Policy.

2. Information We Collect

We collect personal data through various interactions with IISRI® as detailed below.

2.1 Website

We collect through our websites (iisri.com):

• Cookies: We use cookies to improve your experience on our site and to comply with our Terms and Conditions. Cookies may be used to store anonymized information with a 12-month retention period. You can manage your cookie preferences through your browser settings.
• Usage Data: We may collect non-personal information about your use of our website, such as browsing history, IP address, and device information. This data is used for website analytics and to improve user experience.

2.2 Requesting Services and Products (e-commerce)

• Personal Information: To provide you rating reports or other products and services you may request from us, we collect your first and last name, email address, and optionally, your organization name. This data is retained for 12 months or until the rating expires, after which it is automatically deleted.

2.3 External Assessment

• Public Information: External assessments and ratings are based on publicly available information, which is mirrored, timestamped, encrypted, and stored securely. This information is not considered personal data, is not encrypted and retained for 12 months.

2.4 Internal Assessment

• Sensitive Information: For internal assessments (including audits) and ratings, you may provide sensitive or confidential information to us. This data is transmitted over encrypted channels and is accessible only to the IISRI® team. All data used during this assessments is encrypted. This information is not considered personal data and deleted after the assessment.

2.5 Customer Support

• Personal data provided during report purchase is used to manage and respond to your inquiries and support requests. This information contains your contact details, is encrypted and retained for 12 months after the support ticket is closed.

3. Use of Collected Information

We use your personal data to:

• Providing Services: Deliver requested services such as rating reports, publishing ratings to the IISRI® web directory. We use your email address to provide you with notifications about alerts and events of interest for vendors/organizations which you are monitoring.
• Improving Services: Analyzing website usage data to enhance user experience and improve the functionality of our services.
• Customer Support: Responding to inquiries and providing assistance within a reasonable timeframe.
• Marketing and Communication (with consent): Sending you relevant information about our services, updates, and news (with your prior consent).

3.3 Payment

• Payment Processing: We do not process or store card data. Our PCI DSS compliant payment providers (Stripe and PayPal) handle financial transactions.

4. Disclosure of Information

4.1 Personal Information

We do not disclose your personal information to third parties without your explicit consent, except in the following limited circumstances:

• Legal Requirements: We may disclose your information when required by law, such as to comply with a court order, subpoena, or other legal process. We may also disclose information to protect our legal rights or interests.
• Payment Processors: We may share your data with trusted third-party service providers (Stripe and PayPal) who process data on our behalf. These service providers are contractually obligated to maintain the confidentiality and security of your data.

We only share your data with these third parties for the purposes of providing and improving our services.

4.2 Assessment Information

Internal Assessment and rating: Data provided for internal assessments (including audits) is used exclusively for assessment purposes and will not be disclosed to third parties without explicit consent from the assessed organization or when required by law.

External Assessment and rating: Data used for external assessments is based on public records and public facing systems. We do disclose assessment results (ratings, reports, and certifications) based on this public information on our website, directory or through our assessment tools, except for:

• Legal Requirements: If required by law or to protect our legal rights.
• Explicit Requests from the assessed organisation: we may (temporarily) not disclose your external assessment results upon compelling reasons from you.

5. Data Retention

We retain your personal data for the period necessary to fulfil the purposes outlined in this policy or as required by applicable laws, including the New Zealand Privacy Act 2020 and the GDPR. We have data retention policies in place to ensure that personal data is deleted securely when it is no longer required (up to 12 months). The retention period for other types of data may vary depending on the specific purpose and legal requirements.

6. Data Security

We employ a range of technical and organizational security measures from ISO27001:2022 Annex to protect your data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: We use encryption technologies, such as TLS 1.3 and AES256, SHA512, to protect data during transmission.
• Access Controls: We implement robust access controls, including strong passwords and multi-factor authentication, to restrict access to your data.
• Regular Security Audits: We conduct regular security audits and penetration testing to identify and address potential vulnerabilities.

7. Your Rights

We are committed to protecting your privacy and comply with the GDPR and the New Zealand Privacy Act 2020, which grant you certain rights regarding your personal data:

• Access: You can request copies of your personal data that we hold.
• Rectification: You can ask us to correct any inaccurate or incomplete data about you.
• Erasure (Right to be Forgotten): You can ask us to delete your personal data.
• Restriction of Processing: You have the right to request that we temporarily or permanently stop processing all or some of your personal data. This applies while we verify the accuracy of your data or the legitimacy of our data processing.
• Objection: You can object to our processing of your personal data if we are relying on a legitimate interest (or those of a third party) and there is something about your situation that makes you want to object to processing on this ground. You can also object where we are processing your personal data for direct marketing purposes.
• Data Portability: You have the right to request the transfer of your personal data to you or to a third party in a structured, commonly used, machine-readable format.
• Profiling: You have the right to object to any automated decision-making, including profiling, which produces legal effects concerning you or significantly affects you.
• Complaint: You can lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes on data protection laws.
• Withdrawal of Consent: If our processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us via our designated contact form or email address provided: DPO@iisri.com or
Postal Address: 17B Farnham St, 1052 Auckland, New Zealand

8. Policy Modifications

IISRI may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make changes, we will let you know 30 days in advance by email. We will update the Effective Date at the top of this page. Please review this Privacy Policy periodically to stay informed about how we are protecting your personal data.

9. International Data Transfers

Your data may be transferred to countries outside of New Zealand or the European Union. We will take appropriate safeguards to protect your data in accordance with the relevant data protection laws.

10. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy, please contact us through our contact form or:

Email us at: DPO@iisri.com
Postal Address: 17B Farnham St, 1052 Auckland, New Zealand