Our Privacy Statement
Overview
Rizkly, its affiliates and group partner companies (“We”, “Us”, or “Our”) recognize the need for protection and management of your personal information. We have therefore adopted this Privacy Statement to assist you in understanding what information We collect and how that information is used and shared. This Privacy Statement applies to the information We collect when you access any Rizkly website, when you purchase or use a Rizkly product, or when you provide any non-public information to us.
Before you access any Rizkly website, such as at https://app.rizkly.com, purchase or use Rizkly products or services, or provide any non- public information to Us, you should review this Privacy Statement to understand Our information collection and use practices.
Information We Collect
We collect certain categories of information about you and the device that you are using, particularly when you visit our websites but also when you use or purchase our products or when you provide us information to deliver you newsletters and other communications. In particular:
Contact Information: Contact information is information or data that can be used to identify or contact a specific individual. For example, when you access Our websites, We ask you to provide certain contact information when you create an account, such as your name, address, phone number, e-mail address, user IDs and passwords, contact preferences, educational and employment background. If you do not wish to provide the information requested, you may not be able to proceed with the activity or receive the benefit for which the personal information is being requested.
Payment Information: If you purchase a product or service from Rizkly, you will need to provide us with payment information. This may include billing and other transaction information, credit card number, or other financial information that we can use to ensure proper payment for the services you are purchasing.
Device Information: As is true of most websites, We gather certain information automatically and store it in log files. This information may include internet protocol (IP) addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and/or clickstream data. We may combine this automatically collected log information with other information we collect about you.
Tracking and Location Information: We may collect and/or track certain information that is derived from the use of our products such as usage patterns, travel patterns, web site page views and traffic patterns. We may use this tracking and location information for statistical purposes to improve our products and services and to help users manage their environment and infrastructure more efficiently.
Rizkly Blog: If you use Our blog or any community forum on Our web site, you should be aware that any personally identifiable information you submit there can be read, collected, or used by other users of these forums, and could be used to send you unsolicited messages. We are not responsible for the personally identifiable information you choose to submit in these forums. Although We are not responsible for the personally identifiable information you choose to submit via these forums, We will use reasonable efforts to remove that information from our blogs or community forums, if you contact us at rizklysupport@rizkly.com.
Information Related to Data Collected for our Clients: Rizkly collects information under the direction of its Clients, and has no direct relationship with the individuals whose personal data it processes. If you are a customer of one of our Clients and would no longer like to be contacted by one of our Clients that use our service, please contact the Client that you interact with directly. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our Clients.
Access and Retention of Data Controlled by our Clients: We acknowledge that you have the right to access your personal information. Rizkly has no direct relationship with the individuals whose personal data it processes. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data should direct his query to the COMPANY’s Client (the data controller). If requested to remove data we will respond within a reasonable timeframe. We will retain personal data we process on behalf of our Clients for as long as needed to provide services to our Client. Rizkly will retain this personal information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements
Cookies and Similar Technologies
“Cookies” are small text files that are placed on your computer, smartphone or other device when you visit a website. Like many other website operators, Rizkly works with third party service providers and partners (including marketing partners, customer service providers, and others) to use cookies, beacons, and similar technology for a number of purposes. For example, these technologies are used in:
Analyzing site usage trends;
Administering the site;
Tracking users’ movements around the site;
Gathering demographic information about Our user base as a whole;
Saving your shopping cart;
Identifying users to remember users’ settings (e.g. language preference);
For authentication and to help you sign up for Our services.
Users can control the use of cookies at the individual browser level. Each browser is different, so check the “Help” menu of your browser to learn how to change your cookie preferences. If you reject cookies, you may still use our site, but your ability to use some features or areas of our site may be limited.
Display Advertising Targeting
We partner with a third party to either display advertising on our website or to manage our advertising on other sites. Our third party partner may use cookies or similar technologies in order to provide you advertising based upon your browsing activities and interests. If you wish to opt out of interest-based advertising click here (or if located in the European Union click here). Please note you will continue to receive generic ads.
How We Use the Information We Collect
We use the information We collect to provide and enhance Our products and services, to operate Our business (e.g. billing and other accounting purposes; establishing accounts and contacting you regarding important information about your account, including notices and updates), for editorial and feedback purposes, for marketing and promotional purposes (including providing your contact information to third parties with whom Rizkly has a relationship), for statistical analysis, for product development, to contact you regarding our products and services, to monitor and maintain our network, and to address issues that may arise concerning claims of abuse or inappropriate activity. For example, We may use the information We collect for the following purposes:
Displaying personalized content and advertising;
Information security and IT management;
Informing you of other products or services offered by Us;
Sending you relevant survey invitations;
Providing you with additional materials regarding Our products and services or to connect you with a Rizkly representative;
Responding directly to your questions, comments or requests for support;
Analyzing site usage to improve and customize Our web sites and products and service offerings;
Improving Our marketing and promotional efforts; and
Enforcing Our agreements with you.
Some of the information We collect allows Us to differentiate users on Our network, and in some cases, We act as a pass-through for certain pieces of information to obtain authentication for Internet access. We may compile and use for any purpose any usage data including information that we may receive by providing support or professional services under our Terms of Service agreement. If you have purchased services from Rizkly, please refer to the Terms of Service agreement to which you are party for further information regarding how we collect and process usage data.
If our use of your data is governed by the European Union’s General Data Protection Regulation (“GDPR”), you should know that we rely on the following legal grounds to process your personal information:
Performance of a contract – To the extent you have purchased a product or service from Rizkly, we may need to collect and use your personal information to perform the services which you have purchased. For example, we may use your personal information to respond to requests you make via our website and provide you with such services.
Compliance with law – In certain circumstances we may be required to process your data to comply with legal obligations to which Rizkly is subject.
Consent – Some of the personal information We collect is provided by you voluntarily, for example when you sign up to join a mailing list or register for an event, and is therefore collected and used with your permission. To withdraw your consent to such use, you can contact us at rizklysupport@rizkly.com.
Legitimate interests – We may use your personal information for our legitimate interests, such as to improve our products and services and the content on Rizkly websites. We may also use your contact information to keep you and others who have provided us with their contact information up-to-date on recent product and service developments. It you wish us to stop using your contact information in this manner, you can contact us at rizklysupport@rizkly.com.
How We Share Information We May Collect
We never sell or rent your personal information. We occasionally hire other companies to assist Us in providing products or services, handling the processing and delivery of mailings, providing customer support, hosting websites, customer billing, processing transactions, or performing statistical analysis of our services. Those companies will be permitted to obtain only the information they need to deliver the service. They are required to maintain the confidentiality of the information and are prohibited from using it for any other purpose.
We may disclose any information We collect from you if We believe such action is necessary to: (a) comply with any law, judicial proceeding, government request, court order, legal process, rule or regulation or any process served on Us; (b) protect and defend the rights or property of Rizkly (including the enforcement of Our agreements and investigation of potential violations thereof); (c) protect your safety or the safety of others; (d) detect, prevent, or otherwise address fraud, security or technical issues; or (e) act in urgent circumstances or emergencies. If We are acquired by or merged with a third party, you will be notified via email and/or a prominent notice on our website of any change in ownership, uses of your personal information, and choices you may have regarding your personal information. We reserve the right to transfer the personal information We have collected as part of that transaction or proposed transaction, provided that such third party agrees to maintain procedures no less protective than those found in our Privacy Statement.
Accessing And Changing Your Personal Information
Depending on the relevant jurisdiction, you may have certain rights granted to you by law with respect to the personal information Rizkly and others have collected about you. For example, if the GDPR applies to the data We have collected about you, you have the right to access and correct data We have about you, to object to the processing of data, and to request that any information we have about you be erased.
You may request to exercise these rights by managing your account through the online portal or by emailing our data privacy team at rizklysupport@Rizkly.com. We will respond to your request within a reasonable timeframe, but no later than one month after you submit the request. To protect your privacy and security, we may require steps to verify your identity, such as a password and user ID, before granting access to your data.
Upon request Rizkly will provide you with information about whether we hold any of your personal information. If your personal information changes, or if you no longer desire our service, you may correct, update, amend, delete/remove, ask to have it removed from a public forum, directory or testimonial on our site or deactivate it by making the change on our member information page or by emailing our Customer Support at rizklysupport@rizkly.com or by postal mail at the contact information listed below. We will respond to your request within a reasonable timeframe.
Third Party Sites and Services
Third Party links from Rizkly’s websites have their own privacy policies that can be viewed by clicking on the corresponding links within each respective website. All Rizkly partners are encouraged to participate in industry privacy initiatives and to take a responsible attitude towards consumer privacy.
However, since we do not have direct control over the policies or practices of participating third parties, we are not responsible for the privacy practices or content of those sites. We recommend and encourage that you always review the privacy policies of those third parties before you provide any personal information or complete any transaction with such parties.
Our corporate web site also includes social media features, such as the Facebook “Like” button and widgets, such as the “Share this” button or interactive mini-programs that run on our site. These features may collect your IP address, which page you are visiting on our site, and may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our web site, therefore your interactions with these features are governed by the privacy statement of those third parties.
Collection and Use of Children’s Personal Information
Rizkly does not knowingly collect or use personal information from children under the age of 13, or equivalent minimum age in the respective jurisdiction. If Rizkly learns that we have personal information on a child under the age of 13, or equivalent minimum age depending on jurisdiction, we will take steps to delete that information from our systems.
Security
Rizkly takes information security seriously and uses reasonable measures to protect your information from unauthorized access. When you place orders on our websites, all of your order information, including your credit card number and delivery address, is transmitted through the Internet using Transport Layer Security (TLS) technology. TLS technology causes your browser to encrypt your order information before transmitting it to our secure server. We use a variety of security technologies depending on the situation to help protect your information from unauthorized access, use, or disclosure, such as physical access controls, TLS, Internet firewalls, and network monitoring. However, no security system is 100% secure, and therefore we cannot guarantee the security of your information or assume liability for improper access to it. If you use a password to help protect your information, it is your responsibility to keep your password confidential, change the password frequently and use a strong password. We strongly recommend that you do not share this password with anyone.
Data Retention
We will retain your information for as long as your account is active or as needed to provide you services. If you wish to cancel your account or request that we no longer use your information to provide you services, contact us at rizklysupport@rizkly.com. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Communication Preferences
You can stop delivery of promotional e-mail or other Rizkly communications by contacting Rizkly at rizklysupport@rizkly.com. Additionally, when you purchase products or services from Us, We may deliver non-promotional communications related to those products or services which may not be canceled unless you cease use of the product or service.
Changes to this Statement
We reserve the right to modify this Privacy Statement at any time, so please review it frequently. If We make material changes to this Statement, We will notify you here, by email, or by means of a notice on Our home page prior to the change becoming effective. Your continued use of Rizkly’s products, services or websites or communication with Rizkly constitutes your agreement to this Privacy Statement and any updates.
Contacting Us
If you have questions or concerns, please contact Rizkly at: rizklysupport@rizkly.com or 9812 Falls Road, Potomac, Maryland 20854 Suite 400.
Effective as of Jan 1, 2019
Questions about FedRAMP, OSCAL and where you stand?
We will give you a call to discuss your needs and demonstrate why Rizkly is the right model for FedRAMP success.
Under 50 employees? Register for our CMMC Starter package.
Specially priced for small businesses that need to address 800-171 and SPRS scoring now and CMMC later.
By Chor-Ching Fan
FedRAMP automation is on its way. The Open Security Controls Assessment Language (OSCAL) is a machine-readable information exchange format developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance frameworks based on security controls and functional requirements. OSCAL support the expression of compliance information through XML, JSON and YAML formats. OSCAL was released in June 2021 and is currently in Version 1.1.0 (late July 2023)
The FedRAMP cybersecurity management program is the first key adopter of the OSCAL standard. OSCAL promises to enable FedRAMP automation (and other frameworks that adopt it) improving the efficiency and effectiveness of compliance management by providing a standardized, machine-readable format for capturing and sharing security information. OSCAL automation has the ability to simplify many of the manual tasks involved in compliance including:
- Generating security documentation
- Assessment plan and results evaluation
- Tracking remediation activities
- Reporting on compliance status
OSCAL can be used to support a wide range of compliance frameworks, including:
- FedRAMP (early adoption in progress)
- NIST Cybersecurity Framework (CSF)
- ISO/IEC 27001
- SOC 2
- HIPAA
- PCI DSS
FedRAMP automation with OSCAL promises to be significant improvement over previous approaches to compliance automation. As proven by similar information exchange automation initiatives in other industries i.e. ecommerce supply chain documents or financial filing with the SEC, OSCAL should make compliance management be more efficient, more effective, and more scalable.
Here are some of the benefits of using the new OSCAL compliance framework:
- Efficiency: OSCAL automation will reduce manual tasks involved in compliance, such as generating security documentation, conducting assessments, and tracking remediation activities. This can save organizations a significant amount of time and money. FedRAMP SSPs can easily run 300+ pages in Microsoft Word. With continual updates and document submissions to the FedRAMP PMO, this task alone will benefit greatly from OSCAL.
- Effectiveness: OSCAL provides a standardized, machine-readable format for capturing and sharing security information. This makes it easier to identify, evaluate and determine next steps to remediate key risks for the US government and cloud service providers.
- Scalability & Extensibility: OSCAL is a scalable framework that can be used to support a wide range of compliance frameworks. OSCAL is extensible so any user or standards body can leverage the reference models while ensuring it supports the unique elements of their own privacy and security risk program.
Since its 1.0 release in 2021, Rizkly has supported the OSCAL standard with the goal of providing the best software for FedRAMP automation. We love OSCAL and think its great for the cybersecurity compliance world. Companies (CSPs) can import their existing Word SSPs and generate OSCAL with one-click in Rizkly. It will not be practical for most organizations to use XML editors and handcraft OSCAL files each time there are updates or submission requirements. While still in a pre-commercialization status for FedRAMP, we recommend that CSPs explore the transition to OSCAL along with their FedRAMP R4 to R5 gap analysis and planning efforts. If you’re wondering about a FedRAMP R4 vs R5 gap analysis, Rizkly, compliance automation software with dedicated FedRAMP OSCAL compliance experts, is ready to assist…just contact us.
By Chor-Ching Fan
As organizations chart their growth through government contracts and assess the cost of cybersecurity compliance initiatives, many wonder “what’s the the difference between CMMC and FedRAMP”? The Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP) are two different compliance frameworks that organizations must follow if they want to work with the US government.
CMMC is a comprehensive framework designed to protect the defense industrial base’s (DIB) sensitive unclassified information. While it started with five levels of maturity, the latest version of the CMMC 2.0 framework includes 3 levels and tracks very closely with the NIST 800-171 control framework. All DoD contractors will need to achieve at least Level 1 (based on the sensitivity level of the information handled by the contractor) in order to keep and/or win new work with the DoD
FedRAMP is a cybersecurity framework that focuses on the security of cloud service providers (CSPs) doing business with the US federal government. There are two approaches to achieving FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through a specific government agency sponsor. The JAB is the primary governing body for FedRAMP and includes representation from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). There are four different control baselines that support the different FedRAMP authorization impact levels.
| CMMC | FedRAMP | |
|---|---|---|
| Purpose | Assesses and enhance the cybersecurity maturity of all contractors working with the DoD | Focuses on the security of cloud service providers serving federal agencies |
| Certification/Authorization Levels | 3 | 4 |
| Minimum Level Required for Work Contracts | Level 1 (once CMMC is finalized) | Authorized at applicable impact level |
| Levels and Control Scope |
|
|
| Applicability | Applies to all contractors that work with the DoD | Applies to cloud service providers (CSPs) that work with US government agencies |
CMMC vs FedRAMP
CSPs must achieve Authorized status in order to provide services to US government agencies. Soon, DoD contractors will need to achieve at least CMMC Level 1 status before winning new contracts.
In general, FedRAMP is a more comprehensive framework than CMMC. FedRAMP requires organizations to enhance process maturity and capabilities across a wider range of topics dealing with data, network, staff, physical building and vendor security. Here are additional considerations to keep in mind regarding CMMC and FedRAMP compliance:
- CMMC has been in development for the past few years and is now (2023) nearing finalization.
- FedRAMP is a mature framework (based on NIST 800-53) that has been in place for over a decade (2011). We view it as the high bar for cloud cybersecurity compliance.
- Both CMMC and FedRAMP are constantly evolving. The DoD, FedRAMP PMO and NIST are constantly updating the requirements to reflect the latest cybersecurity threats.
- Compliance with CMMC and FedRAMP can be a complex and expensive process, especially for SMBs. Rizkly helps SMBs consider their needs and regulatory requirements and offers an effective and efficient solution for achieving and sustaining improved cybersecurity posture and compliance.
Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work. Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps. We will gladly refer you to appropriate partners if and when the need arises. Creating policies, procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.
Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative. We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project. Typical project activities include:
- Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
- Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort
- Develop the system ‘boundary’, and what will be in scope for compliance purposes
- Draft a system architecture diagram that clearly depicts the system boundary
- Review existing documentation and work with your team members to understand system and process specifics
- Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
- For each gap determine a detailed plan of action to remediate
- Collaborate as needed with personnel (staff and/or your vendors) during remediation.
- Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
- Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
- Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
- Post-remediation ensure that all controls are in place and operating effectively
