Fractional CISO Privacy Policy

Last Revised: August 17, 2020

About This Document

Fractional CISO helps companies with their cybersecurity strategy and execution. We are based in the Greater Boston Area.

Fractional CISO is committed to protecting and respecting your privacy and complying with the principles of applicable data protection laws.

Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

This Privacy Policy informs you of important information about how Fractional CISO, LLC (“Fractional CISO,” “we,” or “our”) processes the personal data that we collect in online and offline formats through the Services.

“Personal data” means data that reasonably can be used to identify a living person, or that reasonably relates to a living person.

When we use the term “Services,” we mean to refer collectively to:

How we collect and use personal data

We collect and process personal data about a number of different individuals through the provision of the Services. These individuals include our individual clients and prospective clients, their representatives, visitors to our offices, visitors to our Sites, vendors, and other individuals.

Clients and prospective clients

The majority of our clients are corporate entities and data about entities is not personal data. However, we process personal data of company employees, representatives and other personal data clients provide to us, or allow us to collect on their behalf, while providing the Client Services. This includes contact information and any other personal data that is relevant to or necessary for us to deliver the Client Services.

We also process personal data to assist in building relationships. This may include, but is not limited to, name, contact information, and job title.

We collect and use this information to provide the Client Services and for other legitimate business interests. For example, we use contact details to send communications and industry updates.

Our basis for processing personal data in connection with Client Services is:

Visitors to our Sites

Certain visitors interact with the Sites in ways that lead us to gather personal data. The amount and type of data that we gather depends on the nature of the interaction. For example, if you sign up to our mailing list we collect your name, contact details, job title and company name. Visitors can always refuse to supply personal data, with the caveat that it may prevent them from engaging in certain Site-related activities.

In addition, we collect information automatically as disclosed in our Cookie Notice, below.

The bases we rely on to process this information is:

Visitors to our offices

For visitors to our offices we will take a record of name and contact information. This information is recorded for legitimate business purposes and for health and safety purposes so that we know who is in the building in event of an emergency.

The bases we rely on to process your personal data is:

Vendors and business partners

We process personal data of vendors and business partners, including name and contact details. For vendors, we do this so that we can liaise about the services the vendors are providing to us now and in the future. For business partners, we do this to support, grow, and maintain the relationship. For individual vendors and business partners, we also may hold financial information in order to pay invoices. Sometimes we receive this information from a third party who is recommending the service to us.

The basis we rely on to process this personal data is:

Other individuals

When we provide certain types of Client Services we may be provided with personal data from third parties about a number of individuals other than those described explicitly in this Privacy Policy.

The primary reason we process this personal data is to provide the Client Services, fulfill our professional duties, comply with law, and operate our business.

The bases we rely on to process your personal data is:

Additional uses of personal data

In addition to the uses described above, we may use your personal data for the following purposes. Some of these uses may, under certain circumstances, be based on your consent, may be necessary to fulfill our contractual commitments to you, or are necessary to serve our legitimate interests in the following business operations:

How we share and disclose personal data

We share personal data with the following categories of recipients.

Service Providers

We may disclose your personal data to third-party service providers to provide us with services such as website hosting, professional services, including information technology services and related infrastructure, customer service, e-mail delivery, auditing and other similar services.

To Perform Client Services

We will also disclose personal data to the following categories of third parties: (1) anyone involved in the matter we are working on; (2) law enforcement, tax, and regulatory agencies and bodies; (3) insurers; and (4) service providers such as IT and telephony services, document production, and postal and delivery services.

We may disclose personal data to third parties in order to perform services you request or functions you initiate, such as when you post information and materials on message boards and forums. When you post information publicly.

We do not sell any personal data and have not sold any personal data in the past.

Corporate Transactions or Events

We may disclose your information to a third party in connection with a corporate reorganization, merger, sale, joint venture, assignment, transfer or other disposition of all or any portion of our business, assets or capital, including in connection with any bankruptcy or similar proceedings.

Other Legal Reasons

In addition, we may use or disclose your personal data as we deem necessary or appropriate: (1) under applicable law, including laws outside your country of residence; (2) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (3) to comply with subpoenas and other legal processes; (4) to pursue available remedies or limit damages we may sustain; (5) to protect our operations or those of any of our affiliates; (6) to protect the rights, privacy, safety or property of Fractional CISO, our affiliates, you and others; and (7) to enforce our terms and conditions.

Region-Specific Disclosures

Rights in other states and countries vary, but they may include the right to: (i) request access to and rectification or erasure of their personal data; (ii) restrict or object to the processing of their personal data; and (iii) obtain a copy of their personal data in a portable format. Individuals may also have the right to lodge a complaint about the processing of personal data with a data protection authority. 

If you make a request related to personal data about you, you may be required to supply a valid means of identification as a security precaution.

State of California, United States

Individuals in California may have a right under the California Consumer Privacy Act (“CCPA”) to request erasure of their personal data or access to personal data that we have collected in the last twelve (12) months.

You may submit requests for access or erasure of your personal information.

Individuals who submit requests for access or erasure of personal information will be required to verify their identity by answering certain questions. We will not disclose or delete any information until identity is verified.

If you are making a request for access, we may not be able to provide specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of your personal information, your account with us, or our systems or networks.

If you are making a request for erasure, we may ask that you confirm that you would like us to delete your personal information again before your request is submitted.

You may designate an authorized agent to submit a request on your behalf by providing that agent with your written permission. If an agent makes a request on your behalf, we may still ask that you verify your identity directly with us before we can honor the request.

Agents who make requests on behalf of individuals may be required to verify the request by submitting written authorization from the individual. We will not honor any requests from agents until authorization is verified.

E-mail Marketing

We may periodically send you relevant alerts and newsletters by e-mail. To help improve our marketing activities, we often receive a confirmation when you open an e-mail or click on a link included in one of these emails, if your computer supports such capabilities. Instructions on how to unsubscribe from these alerts and newsletters are included in each e-mail.

Cookie Notice

We use cookies and related technologies (“Cookies”) to provide Services, gather information when users navigate through the Sites to enhance and personalize the experience, to understand usage patterns, and to improve our Sites, products, and Services.

You can review your Internet browser settings to exercise your options for certain Cookies. If you disable or delete certain Cookies in your settings, you may not be able to use features of the Sites.


The services contained in this section enable Fractional CISO to monitor and analyze web traffic and can be used to keep track of User behavior.

Google Analytics (Google LLC)

Google Analytics is a web analysis service provided by Google LLC (“Google”). Google tracks and examines the data collected on our Sites to prepare reports on its activities and share them with other Google services.  Google may use the data collected to contextualize and personalize the ads of its own advertising network.

Personal Data collected: Cookies and usage data.

Place of processing: United States – Privacy Policy – Opt Out. Privacy Shield participant.

Links to Other Sites

Occasionally we provide links to other websites for your convenience and information. These sites operate independently from our Sites and are not under our control. These sites may have their own privacy notices or terms of use, which you should review if you visit any sites linked through our Sites. We are not responsible for the content or use of these unrelated sites.

Updates to this Privacy Policy

Fractional CISO may change its Privacy Policy from time to time, and at Fractional CISO’s sole discretion. Fractional CISO encourages visitors to check this page frequently for any changes to its Privacy Policy.

How to contact us

If you have any queries, questions or concerns about this Privacy Policy or our personal data handling practices, please contact us at [email protected].

© 2024 All rights reserved​

Is your Cyber Insurance really going to cover you?

Only 1/3 of cyber insurance policies actually pay out in incidents. Most companies have cyber insurance policies that insure too little, or too much, and have absurdly low caps and silly exclusions.

To learn more about cyber insurance and determine if you have the right coverage for you, join us for a free vCISO Office Hours session on Tuesday, April 18 at 1 p.m. eastern time. Bring your questions!

New Release: Free SOC 2 eBook!

Getting ready for your first SOC 2? This eBook is full of actionable advice to help you prepare for and succeed in your first SOC 2 audit.


  • How to scope your SOC 2 project
  • How to estimate the cost and length of your SOC 2 project
  • How to prepare for your SOC 2
  • How to succeed in your SOC 2 audit period
  • How to leverage your SOC 2 report to enable your business and sales