This policy and applicable supporting procedures are designed to provide ARMS Cyber
Defense with a documented and formalized process for protecting individuals’ privacy. Respect
describes our collection of personally identifiable information from users of our Web site
("Website" or "Site"), our Platform, as well as all related applications, widgets, software, tools,
and other services provided by us and on which a link to the Policy notice is displayed
(collectively, together with the Website, our "Service"). This Policy also describes our use and
disclosure of such information. Consumer personal information that ARMS Cyber Defense
receives from corporate customers is processed in our capacity as a service provider pursuant
to the contractual terms with our corporate customers.
In accordance with mandated organizational security requirements set forth and approved by
The Security Officer owns this Policy and is responsible for reviewing the Policy on an annual
basis and following any major changes to ARMS Cyber Defense sensitive data environment, to
ensure that it continues to meet its organizational goals.
The following roles and responsibilities are to be developed and subsequently assigned to
authorized personnel within ARMS Cyber Defense regarding privacy practices:
● Security Officer: Responsibilities include providing overall direction, guidance,
leadership, and support on methods and tools for the implementation of a security and
● Risk Committee: Responsibilities include approving and monitoring adherence to this
policy, analyzing the organization’s environment, and the legal requirements with which
it must comply. Additional responsibilities include:
● Execute the privacy operations of the firm, including monitoring the system used to
solicit, evaluate, and respond to individual privacy complaints and problems.
● Evaluate implemented privacy controls;
● Assessing existing policies and procedures that address privacy areas;
● Working with appropriate departments to ensure
compliance with privacy policies and procedures;
● Recommending and monitoring, in conjunction with the relevant departments, the
development of internal systems and controls to carry out the organization’s privacy
● Report to the Security Officer and ARMS Cyber Defense Management on the
effectiveness of the privacy controls/program in meeting applicable regulatory
requirements and standards.
The organization must formally document and make privacy policies readily available to data
documented to include security practices for privacy as well as all areas covered below.
Authority to Process Personally Identifiable Information
The organization will determine and document the authority permitting the organization to
process personally identifiable information. The organization will restrict processing of
personally identifiable information not authorized.
Personally Identifiable Information Processing Purposes
The organization will restrict processing of personally identifiable information to only that which
is compatible with the identified purposes. If information that was previously collected is to be
used for purposes not previously identified in the privacy notice, the organization will document
the new purpose, and obtain implicit or explicit consent prior to such new use or purpose.
The organization will monitor changes in processing personally identifiable information and
implement mechanisms to ensure that any changes are made in accordance with defined
The organization will limit the collection of personally identifiable information to what is
necessary to meet the organization’s objectives. The methods of collecting personally
identifiable information will be reviewed by management prior to implementation to confirm
personally identifiable information is obtained fairly and without intimidation or deception as well
as lawful, adhering to all relevant rules of law.
The organization uses personally identifiable information only as is authorized and only at the
minimum necessary level required by the organization to meet service level obligations,
contractual obligations, or regulatory requirements.
The organization will retain personally identifiable information
for only as long as required or according to the organization’s retention schedule as may be
required by regulatory or contractual obligations.
The organization will disclose personally identifiable information to third parties only for the
purposes for which it was collected or created and only when implicit or explicit consent has
been obtained from the data subject or provider, unless a law or regulation specifically requires
The organization informs data subjects about the choices available to them with respect to the
collection, use, and disclosure of their personally identifiable information. The organization must
require implicit or explicit consent to collect, use, and disclose personally identifiable
information. The organization will obtain and document implicit or explicit consent from data
subjects at or before the time personally identifiable information is collected (or soon thereafter).
The individual will confirm and implement the individual’s preferences expressed in their
consent. The organization obtains consent before personally identifiable information is
transferred to or from an individual’s computer or other similar device.
The organization will implement tools or mechanisms for individuals to consent to the
processing of their personally identifiable information prior to its collection facilitating individuals’
informed decision-making. Where possible, the organization will provide mechanisms to allow
individuals to tailor processing permissions to selected elements of personally identifiable
information. The organization will present consent mechanisms to individuals at the time of
processing. The organization will implement a mechanism for individuals to revoke consent to
the organization’s website.
The organization will also provide notice to individuals about the processing of personally
identifiable information that:
● Is available to individuals upon first interacting with an organization, and subsequently
upon changes in the notice;
● Is clear and easy-to-understand, expressing information about personally identifiable
information processing in plain language;
● Identifies the authority that authorizes the processing of personally identifiable
● Identifies the purposes for which personally
identifiable information is to be processed; and
● Includes specific information related to the organization’s regulatory or contractual
The organization will present notice of personally identifiable information processing to
individuals at a time and location where the individual provides personally identifiable
information or in conjunction with a data action, or annually if or when the notice changes.