SecurityMetrics, Inc. is aware of the privacy concerns of its customers. Our policy for collecting and using personal information is detailed below.


SecurityMetrics' policy in relation to information collected through registration, testing, and/or any other means is to respect and protect the privacy and confidentiality of our users. SecurityMetrics does not disclose, rent, or sell email addresses, security test results, or any other information that we may receive to any third party, unless:

  • Specifically requested by the customer;
  • Requested or required by applicable credit card associations, or credit card processors with which SecurityMetrics has a contractual agreement;
  • In response to duly authorized information requests of governmental authorities or where required by law;
  • In connection with any legal proceedings where disclosure of such data has been requested or required; or
  • To an agent of SecurityMetrics acting on behalf of SecurityMetrics (e.g., for database hosting, data processing or mailing services). In this case, SecurityMetrics will make certain that the agent complies with the Safe Harbor Privacy Principles (as defined below) and our commitments in this policy.

SecurityMetrics may use the information and data submitted by users and customers for any other purposes related to SecurityMetrics' business that are compatible with the purposes for which your information was collected by SecurityMetrics, including, but not limited to, conducting market research, improving its products and services, sending surveys, and notifying customers of product upgrades and updates, new products, special offers, seminars and conventions and any other changes within SecurityMetrics that may affect customers and users.

SecurityMetrics believes in protecting your privacy. When we collect personal information from you on our website, we comply with the U.S.-EU Safe Harbor Framework and U.S.-Swiss Safe Harbor Framework regarding the collection, use and retention of personal data from the European Union and the Safe Harbor Privacy Principles published by the U.S. Department of Commerce (the "Safe Harbor Privacy Principles"). For more information about the Safe Harbor Privacy Principles, please visit the U.S. Department of Commerce's Website at These are our promises to you:

  • We'll collect only as much personal information as we need for specific, identified purposes, and we won't use it for other purposes without obtaining your consent.
  • We'll keep your personal information only as long as we need it for the purposes for which we collected it, or as permitted by law.
  • We'll take appropriate steps to make sure the personal information in our records is accurate.
  • We'll provide ways for you to access your personal information, as required by law, so you can correct inaccuracies.
  • We'll take appropriate physical, technical, and organizational measures to protect your personal information from loss, misuse, unauthorized access or disclosure, alteration, and destruction.
  • Except as described in this policy, we won't share your personal information with third parties without your consent.
  • If we transfer your personal information to another country, we'll take appropriate measures to protect your privacy and the personal information we transfer.
  • We'll regularly review how we're meeting these privacy promises, and we'll provide an independent way to resolve complaints about our privacy practices. If a complaint or dispute cannot be resolved through our internal process, we agree to participate in the dispute resolution procedures of the panel established by the European Data Protection Authorities to resolve.


This privacy policy may be amended from time to time consistent with the requirements of the Safe Harbor Privacy Principles. We will post any revised policy on this website.

Terms of Use

The following Terms of Use apply to all products and services provided by SecurityMetrics, Inc.


Users are strictly forbidden to use SecurityMetrics, Inc. to perform security tests on computers, servers, or devices that they do not have permission or authorization to test. If you use a third party hosting service, you must notify the service and receive permission for SecurityMetrics to perform security testing. You agree to hold SecurityMetrics harmless for any failure to obtain any necessary permission.


This Agreement is between you the customer ("Customer") and SecurityMetrics, Inc., a Utah corporation ("SecurityMetrics"), relating to the SecurityMetrics Compliance and Data Security Programs and Services, including but not limited to PCI, HIPAA, GLBA, Assurance, etc. ("Services"). By accessing and using the SecurityMetrics website you agree to be bound by these Terms of Use. Customer hereby requests SecurityMetrics to perform security testing services as outlined in the SecurityMetrics invoice previously generated by you ("Invoice"), as well as any additional services Customer subsequently requests, pursuant to the terms of this Agreement. Customer assumes sole responsibility and liability for any problems or liabilities arising out of any failure to provide SecurityMetrics with all of Customer's IP addresses and/or domain names that should be tested. SecurityMetrics has the right to change the Services and its prices at any time; SecurityMetrics will use good faith efforts to notify Customer of such changes via email or other written notice.

Intellectual Property

SecurityMetrics will provide Customer with written or online reports, data, policies, templates, checklists, and other materials (collectively, "Materials") in connection with the Services. You agree that all intellectual property rights in the Materials, including trade secrets, copyrights, patents and trademarks, are exclusively owned by SecurityMetrics and its licensors. Customer shall hold in confidence all Materials marked as "confidential" and shall use the Materials solely for the purposes for which they are disclosed. All Materials are licensed to Customer only for its own use and Customer does not have any rights to copy, distribute or make derivative works of the Materials without the prior written authorization of SecurityMetrics. Dissemination, distribution, copying or use of the Materials in whole or in part by a SecurityMetrics competitor or their agents is strictly prohibited.


Customer agrees to pay all charges for the Services provided to Customer, unless Customer's acquirer, payment processor, or other entity has entered into an agreement with SecurityMetrics to pay for those services. If Customer's acquirer, processor or other entity has an agreement with SecurityMetrics to pay for the Services, then this section may not apply to Customer. If you have provided SecurityMetrics with credit card information ("Card Information"), you authorize SecurityMetrics to charge the price of the Services, as provided in the Invoice, using the Card Information. If you are purchasing online Compliance services, you also authorize SecurityMetrics to automatically charge the price of Services for each renewal term of this Agreement using the Card Information. You agree to give SecurityMetrics prompt notice of any changes to the Card Information.


The term of this Agreement is for one year. If you are purchasing online Compliance services, this Agreement shall automatically renew for successive one-year terms. However, only Customer or SecurityMetrics may terminate this Agreement at any time upon written notice, with or without cause. Customer agrees that SecurityMetrics may contact Customer in furtherance of the automatic renewal of the Services.

Accuracy of Information

Customer's compliance depends entirely upon the accuracy of information provided to SecurityMetrics by Customer. Customer agrees that if Customer provides incomplete or inaccurate information this will affect Customer's compliance status, and SecurityMetrics will not be held liable for any damages incurred as a result of incomplete or inaccurate information provided by customer. A scan result from SecurityMetrics only indicates the compliance status of the systems that SecurityMetrics has scanned and does not represent Customer's overall compliance status with the PCI Data Security Standards. Customer also agrees to give SecurityMetrics prompt notice if any information affecting data security previously provided to SecurityMetrics has changed, is changing or will change. You authorize SecurityMetrics to contact you through email, phone or fax to notify you of changes in your compliance or Services. Customer understands and agrees that any threat designated as a false positive by Customer is done at Customer's own risk. In no event shall SecurityMetrics be liable for any damages incurred by Customer as a result of Customer's designation of a threat as a false positive.


Due to the nature of the computer security business, no security company can guarantee that it will detect every vulnerability or security problem. SecurityMetrics provides its services on an "as is" basis and without any warranties whatsoever. SecurityMetrics disclaims any and all warranties, express or implied, including without limitation warranties of merchantability and fitness for a particular purpose, with respect to its services, materials and products. SecurityMetrics does not warrant that the services will detect every vulnerability on your system, or that SecurityMetrics' vulnerability assessments, suggested solutions or advice will be error-free or complete. Customer agrees that SecurityMetrics shall not be responsible or liable for the accuracy or usefulness of any information provided by it, or for any use of such information.

Limitation of Liability

In no event shall SecurityMetrics or its agents be liable for any lost profits or any direct, indirect, incidental, punitive, or consequential damages whatsoever with respect to its services, materials and products, even if SecurityMetrics has been informed of the possibility of such damages. In any event, SecurityMetrics' total liability for any claim or damage shall not exceed the fees you have paid to SecurityMetrics.


SecurityMetrics reserves the right to modify these Terms of Use at any time without notice. These Terms of Use constitute a contract between you and SecurityMetrics and are governed by Utah substantive law; provided, however, that if Customer's primary place of business is in any country other than the United States, the laws of such country shall govern this Agreement. SecurityMetrics may seek to enforce this Agreement in the courts of Utah or where Customer is situated. If suit is brought in a Utah court, Customer agrees that such court shall have jurisdiction over the subject matter and personal jurisdiction over it to decide the suit. This is the sole agreement between the parties concerning its subject matter. If any term of this Agreement is found void or unenforceable, all other terms shall remain in full force and effect. You may not assign this Agreement without SecurityMetrics' written consent. SecurityMetrics and Customer agree to the terms of the Privacy Policy posted on the website with respect to the use and protection of Customer's data.

None of the information contained within our service, or within the content SecurityMetrics makes available through our service, should be regarded as Legal Advice. The distribution and publication of our service, and the content made available with our service, does not create an attorney-client relationship between You and SecurityMetrics.

SecurityMetrics reserves the right to modify or terminate the Services and the Site or to terminate Your access to the Services and Site, in whole or in part, at any time.

Refund Policy

Refunds for the unused portion of services may be obtained by contacting the Account Renewals team at SecurityMetrics. Refunds will be processed within 5 business days.

SecurityMetrics owns and operates the servers that host this website. Contact information for SecurityMetrics may be obtained by clicking the "Contact Us" link at the top of any page.

Additional Terms For Assurance Program

The following Terms of Use apply to the liability coverage program offered as part of the SecurityMetrics Assurance Program by SecurityMetrics, Inc.

Breach Protection

The following Terms of Use apply only to merchants who are participating in the SecurityMetrics Assurance Program ("Program"). Merchants who have applied for and have paid additional consideration for participation in the Program are referred to as "Participating Merchants." Ancillary to the products and services provided in the Program, SecurityMetrics is also providing Participating Merchants up to $100,000 (the "Program Limit") of breach protection. Subject to the terms and limitations described more fully below and in the Summary of Benefits for the Assurance Program, the breach protection portion of the Program provides reimbursement for the following costs and expenses actually incurred by you in connection with a data security event:

(1) All reasonable card association assessments, forensic audit expenses, card replacement expenses, and post event services expenses resulting from a data security event occurring and reported to Higginbotham while such Participating Merchant is enrolled in the Program; and

(2) Any regulatory penalty and regulatory event expenses resulting from a regulatory action commenced and reported to Higginbotham while such Participating Merchant is enrolled in the Program.

Backed by an Insurance Policy

The Program is backed by an insurance policy (the "Policy") from Chartis Specialty Insurance Company ("Chartis"), an insurance company subsidiary of Chartis, Inc. You are not an "insured" or beneficiary under the Policy and nothing in this Agreement creates a relationship between you and Chartis (or any other Chartis affiliate). Neither Chartis nor SecurityMetrics is providing you with insurance pursuant to this Agreement. Higginbotham & Associates ("Higginbotham"), an insurance brokerage firm, acts as the claim and payment processor under the Program.

Reporting Claims

The Program provides benefits to you only if you provide a timely and complete report of a data security event or regulatory action as soon as you become aware of such event or action. You will need to provide details on the data security event or regulatory action including, but not limited to: a complete description of the data security event or regulatory action, all documents relating to the data security event or regulatory action and any other pertinent information requested by or on behalf of SecurityMetrics. To report a data security event or regulatory action under the Program, contact:

Liability Limitations

Customer assumes sole responsibility and liability for making timely and complete claims under the Program, providing necessary or requested data and information, and otherwise complying with the terms and conditions set forth in the Program. SecurityMetrics shall have no liability to any participating merchant under the program in the event, and to the fullest extent, that Chartis denies coverage under the policy for any given data security event or regulatory action. SecurityMetrics' duty to provide payments to any participating merchant for costs arising from any data security event or regulatory action under the program will be made only after, and to the extent that, SecurityMetrics receives payment from Chartis under the policy.

The Program Limit is the most any Participating Merchant can recover for each merchant identification number during a twelve (12) month period for any or all such costs or expenses, combined, and regardless of the number of data security events discovered or regulatory actions taken.

Scanning Abuse

SecurityMetrics, Inc., is a PCI Approved Scanning Vendor under certificate number 3707-01-08 and performs security assessment scans within the guidelines of the PCI data security initiative.


It is important to allow SecurityMetrics security scanners to have the same level of network access to your Internet-connected devices that you provide to the rest of the world under normal circumstances. Users of SecurityMetrics scanning services are encouraged to add rules to their firewalls and inform their ISPs or hosting providers that security assessment scans may originate from the scanning locations listed in the table below. Ensuring that traffic from SecurityMetrics scanners does not get blocked ensures maximum accuracy of the security assessments, which leads to better security. If you have any questions, please contact SecurityMetrics Technical Support.

SecurityMetrics Scanners


Users of SecurityMetrics scanning services are required to consent to abiding by the Terms of Use before purchasing scanning services from SecurityMetrics. SecurityMetrics takes reports of abuse very seriously and works with ISPs, hosting providers, and other organizations to ensure that any abuse is dealt with in a timely and appropriate manner.


Do you believe some form of SecurityMetrics scanning service abuse is occurring?
Please email us (abuse@)