PONDURANCE PRIVACY POLICY

Effective May 27, 2026

Introduction

Pondurance LLC (“Pondurance”) is committed to protecting the privacy of visitors to our website, social media pages, services, applications, and advertisements (“Site”), and has established this privacy policy (“Policy”) to inform you of our policies and practices respecting the gathering and disclosure of information you might provide when visiting our Site. By accessing or using the Site, you agree to the terms of this Policy. If you do not consent to the terms of this Policy, please do not visit our Site.

For information regarding our Privacy Policy specifically associated with text messaging of security alerts, please refer to our Security Alert Text Messaging Privacy Addendum.

Definitions

This Policy contains sections with terms used by the European legislature for the adoption of the General Data Protection Regulation (“GDPR”) and the California State Assembly for the adoption of the California Consumer Policy Act (“CCPA”). Pursuant to the GDPR, our Policy should be legible and understandable to the general public, our customers, and business partners. To ensure this, we will begin with an explanation of the terminology used related to the GDPR, CCPA, and/or other data protection regulatory requirements.

Consent: Any freely given, specific, informed and unambiguous indication of the Individual’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Data Subject (“Individual”): Any identified or identifiable person, whose Personal Data is processed by the controller who is responsible for the processing.

Personal Data/Personal Information: Any information relating to an identified or identifiable natural person (“Individual” described above); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Recipient: A natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.

Site Information Collection

Information Collected

Data that is collected is expected to be accurate from the source. The data is limited to the purposes collected for and included below as relevant to the utilization.

Personal Data/Personal Information. Pondurance does not collect your Personal Data/Personal Information without your Consent. For example, you may have the option to provide contact information such as your name, organization name, company, title, e-mail address, and/or optional answers to open ended questions related to cyber security, internet technology, and various aspects related to you or your business through our Site. Providing this optional information is voluntary on your part, and in the absence of providing such information, your Personal Data will not be collected. You may also have the option of providing additional information in a comment or message box, in which case we may collect a record of that information in a file specific to you. To the extent your public information is accessible (on third party websites such as LinkedIn, Facebook, Twitter, or other third-party websites), Pondurance retains the right to collect such public information without your consent.

Pondurance reviews third-parties on a recurring basis for their privacy standards in the case of onward data transfer.

Anonymous Information. Pondurance does not directly collect anonymous information (such as your Internet Protocol address, Web browser information, or your actions while you navigate the Site). However, the Site’s storage, hosting and/or applications may be provided by third party outsourcers who collect such information through the use of commonly used information-gathering tools, such as cookies and Web beacons. Standing alone, this information does not personally identify you.

Mobile Devices. Pondurance does not directly collect any additional information from users who access the Site via mobile phone or other mobile devices. However, our third-party service providers may collect additional mobile device information such as your mobile device IP address, operating system, carrier, and mobile Internet browser and device location information.

Use of Information Collected

Personal Data. Pondurance will only use Personal Data for the purposes for which it was given as described below, and it will not be shared without your consent except:

As necessary to collect analytics and respond to lead generations. For example, information related to your optional responses to questions described in Section 3.1.1 will be shared with Pondurance and its members, managers, affiliates, and employees. Pondurance may reach out to you if you provide your contact information. The information collected will be used for generating customer leads and recruitment. Such information will also be used to better assist Pondurance in its goal of providing quality services for its customers. Finally, such Personal Data will be used to customize content and ads and to improve the overall Site experience through visitor analytics.

In response to legal processes. For example, in response to a court order or a subpoena or in response to a law enforcement agency's request. Pondurance reserves the right to resist such requests in its sole discretion; and/or

Where we believe it is necessary to investigate, prevent, or take action regarding illegal activities or situations involving potential threats to the physical safety of any person, violations of our terms of use, to protect our rights and the rights of others, or as otherwise required by law.

Anonymous Information. Pondurance may use anonymous information collected from you to operate and improve the Site, customize content on the Site, market on other site(s), diagnose technical problems, and to respond to your request for information.

Third Party Links

The Site may contain ads served by reputable third parties or sponsors, as well as links to other websites or third-party applications such as Facebook, Twitter, or LinkedIn. These third parties may view, edit, or set their own cookies, and have privacy policies that differ in significant ways from Pondurance. We are not responsible for the privacy practices or the content of these third-party ad servers, promoters, websites or applications, and we advise you to refer to the policy statement of these third parties to understand how they collect and use information.

Data Retention

We retain your Personal Data for as long as reasonably required for the purposes for which it was collected or to which you have given your consent. Your Personal Data that we use to generate customer leads and recruitment will be used until you notify us that you no longer wish to receive communications from us.

International Transfer

The Site may be accessible internationally. However, our computer systems are based in the United States and your Personal Data will be processed by us in the U.S. If you access the Site as a visitor from outside the United States, you consent to the collection and/or processing in the United States of your information as described above. For Personal Data processed from parties in the European Economic Areas (“EEA”), Pondurance complies with the GDPR, as set forth more fully in Section 4 below.

GDPR Specific Information and Disclosures

For any and all Personal Data processed from parties in the EEA, Pondurance complies with the Regulations 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the GDPR.

Controller

Pondurance processes Personal Data both as a Processor and as a Controller as defined above and in the GDPR. All data collected or stored by Pondurance is hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from intruders. All hosting is performed in accordance with the highest security regulations.

Pondurance’s responsibilities as a controller for the purposes of the GDPR and compliance with other data protection laws applicable in the EEA related to data protection are fulfilled by its Data Protection Officer.

Data Retention and Deletion

The Controller shall process and store Personal Data of the Individual only for the period necessary to achieve the purpose of its storage or for as long as is granted pursuant to the European legislator or other legislators in laws or regulations to which the Controller must abide. Any Personal Data will be deleted upon the request of the Individual.

Rights of the Individual

Right of Confirmation: Each Individual has the right to obtain confirmation from the Controller as to whether or not his/her Personal Data is being Processed. If the Individual wishes to pursue this right, he/she may, at any time, contact the Controller or any employee of the same.

Right of Access: Each Individual has the right to obtain free information from the Controller about his/her Personal Data and to obtain a copy of said information. Additionally, our privacy regulations grant the Individual access to the following information:

The purposes of the processing;

The categories of personal data concerned;

The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;

Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

The existence of the right to request from the controller rectification or erasure of personal data, or restriction of processing of personal data concerning the individual, or to object to such processing;

The existence of the right to lodge a complaint with a supervisory authority;

Where the personal data are not collected from the individual, any available information as to their source;

The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the individual.

Furthermore, the Individual has the right to obtain information regarding whether or not the Personal Data is transferred to a third-party, or international organization. If applicable, the Individual will then have the right to be informed of appropriate safeguards in place relating to the transfer of any information. If the Individual wishes to pursue this right, he/she may, at any time, contact the Controller or any employee of the same.

Right to Rectification: Each Individual has the right to obtain from the Controller the timely rectification of inaccurate Personal Data concerning him/her. If the Individual wishes to pursue this right, he/she may, at any time, contact the Controller or any employee of the same.

Right to Erasure (Right to be Forgotten): Each individual has the right to obtain from the Controller the erasure of Personal Data in a timely manner. The Controller has the obligation to erase Personal Data in a timely manner where one of the following applies, so long as Processing is not necessary:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

The individual withdraws consent to which the processing is based according to point (a) of Article 6(1) of the GDPR, or point (a) of Article 9(2) of the GDPR or other data privacy regulation, and where there is no other legal ground for processing;

The individual objects to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or the individual objects to the processing pursuant to Article 21(2) of the GDPR or other data privacy regulation;

The personal data have been unlawfully processed;

The personal data must be erased for compliance with a legal obligation according to applicable laws in Union or Member State law to which the controller is subject;

The personal data has been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR or other data privacy regulation.

If any of the above apply, the individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.

Right of Restriction of Processing: Each Individual has the right to obtain from the Controller, restriction of Processing where one of the following applies:

The accuracy of the personal data is contested by the individual, for a period enabling the controller to verify the accuracy of the personal data; The processing is unlawful and the individual opposes the erasure of the personal data and requests

instead the restriction of their use instead;

The controller no longer needs the personal data for the purposes of the processing, but they are required by the individual for the establishment, exercise or defense of legal claims; or

The individual has objected to processing pursuant to Article 21(1) of the GDPR or other data privacy regulation pending the verification whether the legitimate grounds of the controller override those of the individual.

If any of the above conditions are met, and the individual wishes to request the restriction of processing, he/she may contact our Controller at any time and the Controller or an employee of the same will arrange for the restriction of processing.

Right to Data Portability: Each Individual has the right to receive the Personal Data concerning him/her, which was provided to the Controller, in a commonly used readable format. The Individual will have the right to transmit such Personal Data to another Controller. Furthermore, in exercising this right, the Individual will have the right to transmit his/her Personal Data directly from one Controller to another, where technically feasible. The right referred to this Section 4.3.2.6 shall not adversely impact the rights and freedoms of others. In order to assert this right, the Individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.

Right to Object: Each Individual has the right to object, at any time, to Processing of Personal Data, which is based on point (e) or (f) of Article 6(1) of the GDPR or other data privacy regulation. This right also applies to profiling based on these provisions. Pondurance will stop Processing Personal Data in the event of objection, unless we can demonstrate compelling legitimate grounds for Processing which overrides the interests, right and freedoms of the Individual or for the establishment, exercise, or defense of legal claims. In order to assert this right, the Individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.

Automated Individual Decision-Making, Including Profiling: Each Individual has the right not to be subject to decision making based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her. Pondurance does not use automated decision-making, or profiling.

Right to Withdraw Data Protection Consent: Each Individual has the right to withdraw his/her consent to Processing of his/her Personal Data at any time. In order to assert this right, the Individual can contact the Controller or any employee of the same to ensure that the erasure request is complied with immediately.

Controller Duties, Generally

If the Controller wishes to process existing Personal Data for a new purpose, he/she will inform the Individual. In the event of a data breach, the Controller will report such breach to its supervisory authorities and affected individuals, in compliance with the GDPR or other data privacy regulations. If a transfer of Personal Data which is undergoing Processing or is intended for Processing after transfer to a third party or international organization, Pondurance, complies with all provisions of Chapter 5 of the GDPR or other data privacy regulation.

Legal Basis for Processing

Article 6(1)(a) of the GDPR or other data privacy regulation serves as the legal basis for processing operations for which we obtain consent for a specific processing purpose, such as the purposes described within this Policy. If the processing of Personal Data is necessary for the performance of a contract to which the Individual is a part, the data processing is based on Article 6(1)(b) or other data privacy regulation. This also applies to necessary processing operations which are necessary for pre-contractual measures. If Pondurance is subject to a legal obligation where Personal Data processing is required, the processing is based on Article 6(1)(c) or other data privacy regulation. In the event processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority, processing is based on Article 6(1)(d) or other data privacy regulation. Finally, processing could be based on Article 6(1)(f) or other data privacy regulation. This legal basis is used if the processing is necessary for the purposes of the legitimate interests pursued by the Controller or third party, except where such interests are overridden by their interests or fundamental rights and freedoms of the Individual which require protection of Personal Data (particularly, if the Individual is a child).

Personal Data as a Statutory or Contractual Requirement

There are times when Personal Data is required by law or when it is provided as a result of contractual provisions. If Personal Data is within a contract between the Individual and Pondurance, the Individual may be obligated to provide such Personal Data in order to conclude the contract. If Personal Data is not provided, we may be unable to conclude the contract. An Individual can contact our Controller to determine whether or not there would be an obligation to provide Personal Data in order to conclude a contract and the consequences of not providing such Personal Data.

California Consumer Privacy Act (CCPA)

Disclosure Rights for California Residents

To exercise one or more of your rights, you , or someone authorized by you, may call us at (888) 385-1702 ext. 9789 or by following this “Link” and following the instructions presented. https://www.pondurance.com/contact

California Residents may have certain rights under the California Consumer Privacy Act (California Civil Code

§1798.100 et seq.) regarding your personal information, including:

The right to request the specific pieces of personal information that have been collected about you; the categories of personal information that have been collected; the categories of sources that we used to collect that personal information; the purpose(s) for collecting your personal information; and the categories of third-parties with whom we’ve shared your personal information in the preceding twelve (12) months.
The right to opt out of the sale of your personal information.
The right to have someone whom you authorize make a request regarding your personal information on your behalf.
The right to request deletion of your personal information that has been collected.
The right to not be discriminated against for exercising any of these rights.

General Provisions Applicable to All Visitors

Children’s Online Privacy Protection

The Site is not designed for or directed to children under the age of sixteen (16), and we will not intentionally collect or maintain information about anyone under the age of sixteen (16). If you believe that we might have any information about a child under sixteen (16), please contact us at dpo@pondurance.com.

Security

The Site aspects which Pondurance hosts have security measures in place to help protect against the loss, misuse, and alteration of information and data under our control. These aspects are hosted in a secure server environment that uses a firewall and other advanced technology to prevent interference or access from intruders. These safeguards help prevent unauthorized access, maintain data accuracy, and are intended to ensure the appropriate use of information and data received by Pondurance, but “perfect” security does not exist on the internet. Although Pondurance implements security measures on Site aspects which it hosts and for information and data it obtains, it is not responsible, and does not make any representations, as to the security measures in place for any third parties, including but not limited to, other websites, social media platforms, or advertising agencies. The safety and security of your Personal Data also depends on you.

Opt-Out Policy

Pondurance assumes that its visitors and customers have carefully read this document and agree with its contents. Pondurance offers its visitors and customers a means to choose how we may use information provided. If, at any time after providing information, you change your mind and wish to change or delete your information, please send a request specifying your new choice to: dpo@pondurance.com. Pondurance will respond to your correction or update request within thirty (30) days from the date of your request.

Correcting,Updating, or Requesting Removal of Your Information

To receive a copy of, to update, or request the removal of the information you have provided to Pondurance, please send an e-mail to dpo@pondurance.com, by accessing this “Do Not Share or Sell my Personal Information” link (https://www.pondurance.com/contact), or by calling (888) 385-1702 ext. 9789 Pondurance will respond to your correction,update, or removal request within thirty (30) days from the date of your request.

Changes to this Privacy Policy

Pondurance reserves the right to change this Privacy Policy as reasonably necessary or advisable to accommodate changes to the law, technology, or circumstances and will use reasonable efforts to provide notification of the material changes through the Site at least thirty (30) business days prior to the changes taking effect.

Additional Information

Questions regarding this Privacy Policy or the practices of the Site should be directed to: dpo@pondurance.com or by regular mail addressed to:

Pondurance LLC

Attn: Data Protection Officer

500 N. Meridian Street, Suite 500

Indianapolis, Indiana 46204

Disputes/Arbitration

Pondurance will attempt to investigate and promptly resolve any dispute or complaint regarding the interpretation or

compliance with this Privacy Policy. In the event Pondurance is unable to resolve any issues or complaints to your satisfaction, the dispute will be determined by arbitration in Marion County, Indiana before a single arbitrator. The arbitration shall be administered by JAMS pursuant to its Domestic (or International, as applicable) Comprehensive Arbitration Rules and Procedures. Judgment on the award may be entered in any court having jurisdiction.

Do Not Track Requests

Certain browsers have incorporated “Do Not Track” features. Most of these features, when turned on, send a signal to the websites you visit indicating that you do not wish to be tracked. Those websites may or may not comply with such requests, depending on the site's privacy practices. Because there is not yet a common understanding of how to interpret the Do Not Track signal, Pondurance does not currently respond to the browser Do Not Track signals on its Site.

TOOLS & PROCESSES

SPECS

Analyze your cybersecurity posture with our NIST CSF framework and get actionable recommendations

Quantify protection and risk in real time with our proprietary risk assessment engine

Our MDR solution is backed by our quality and effectiveness guarantee

TECHNOLOGY + HUMAN EXPERTISE

Cloud-native technology plus human expertise to protect what matters most

24/7 U.S.-based Security Operations Center

Prioritize cyber risks based on the threat they pose to your unique organization

SOLUTIONS BY INDUSTRY

REDUCE CYBERSECURITY RISK

Discover, assess, and harden your environment against digital risks.

Get an expert advisor or vCISO on your team to lead decision making & ensure compliance

REDUCE REGULATORY RISK

Meet legal and regulatory requirements efficiently and effectively

Prepare for a breach and lock in preferred rates

REDUCE BREACH IMPACT

Proactive, 24/7 cybersecurity to detect threats before they become breaches

Fully outsourced SIEM solution for threat detection and risk-based cybersecurity

Minimize harm with a quick response and maintain attorney-client privilege

Detect, contain, and respond to endpoint threats more efficiently and effectively

CONNECT WITH US

​

WHO WE ARE

Our passionate team of experts is committed to decreasing cybersecurity risk

CONTENT BY TOPIC

​

THOUGHT LEADERSHIP

RESOURCES

Sharpen your cybersecurity skills and inform strategy with eBooks, webinars, and tools

Expert insights and perspectives to stay ahead of trends and boost cybersecurity know-how