PRGN-05

Web Link to Product/Service Privacy Notice

Explanation

This question is asking for the URL(s) to your product or service's privacy notice (sometimes called a privacy policy). A privacy notice is a public document that explains how your organization collects, uses, shares, and protects personal data. It outlines what data you collect, why you collect it, how long you retain it, and what rights users have regarding their data. The question is being asked in a security assessment because privacy is a critical component of overall security posture. Organizations need to ensure that any vendor they work with handles personal data responsibly and in compliance with relevant privacy laws (like GDPR, CCPA, etc.). The privacy notice serves as a formal declaration of your privacy practices and demonstrates transparency. The guidance notes that if your product has multiple privacy notices (perhaps for different regions or user types), you should provide all relevant links. Additionally, if your privacy notice references other documents (like terms of service or specific data processing agreements), you should provide those links as well. To best answer this question, provide direct links to all applicable privacy notices on your public website. Make sure these links are current and the policies are up-to-date. If you have different privacy notices for different aspects of your service or for different regions, clearly label each link. If your privacy notice incorporates other documents by reference, include links to those as well.

Guidance

If multiple notices are implicated, provide all that apply. If any other documents are incorporated by reference, provide them as well.

Example Responses

Example Response 1

Our product's Privacy Notice is available at https://www.ourcompany.com/privacy-policy This comprehensive privacy notice covers all aspects of our service and is applicable globally We also have a supplementary Data Processing Agreement that is referenced in our Privacy Notice, which can be found at https://www.ourcompany.com/data-processing-agreement.

Example Response 2

We maintain several privacy notices depending on the user type and region: - General Privacy Policy: https://www.productname.io/privacy - EU-Specific Privacy Notice (GDPR Compliant): https://www.productname.io/privacy/eu - Healthcare Customer Privacy Notice (HIPAA Compliant): https://www.productname.io/privacy/healthcare - California Consumer Privacy Notice (CCPA Compliant): https://www.productname.io/privacy/california Our Terms of Service, which is referenced in all privacy notices, can be found at: https://www.productname.io/terms

Example Response 3

We are currently in the process of developing a formal privacy notice for our product At this time, we do not have a published privacy notice available on our website We recognize this is an important compliance requirement, and our legal team is working to finalize our privacy documentation, which we expect to publish within the next 30 days In the interim, we can provide a draft document that outlines our current privacy practices upon request, though this is not yet publicly available.

Context

Tab
Privacy
Category
General Privacy

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron