Updated January 12, 2024

As set forth in Continuum GRC's Global Code of Conduct:  "We respect the confidentiality and privacy of our clients, our people, and others with whom we do business".

It is the Privacy Policy of Continuum GRC to comply with the requirements of the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (“CPRA”) requirements. Continuum GRC has certified that it adheres to the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (“CPRA”) privacy principles of notice, choice, onward transfer, security, data integrity, access, and enforcement with respect to all personal information transferred from the EU to the US and within the US (personal information) within the scope of its General Data Protection Regulation (GDPR) and the California Privacy Rights Act (“CPRA”) attestations. In addition, certain personal information may be subject to more specific privacy policies of Continuum GRC, which are also consistent with the requirements of the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (“CPRA”) requirements.

This Privacy Policy describes Continuum GRC's and all ITAM sites (collectively, “Continuum GRC” “we,” “us,” or “our”) policies regarding the collection, use, and disclosure of personal information about you when you visit our website or use our platform at https://www.auditmachine.com/, use our app(s) (e.g., the Continuum GRC ITAM App), or otherwise interact with us concerning your actual or potential assessment data (collectively, “Services”). “Personal information” is non-public information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked to an individual. When you use our Services, you agree to our collection, use, and disclosure of personal information about you as described in this Privacy Policy. If you do not provide us with personal information we request, we may not be able to provide you with our Services or your experience when using those Services may be impaired.

For example:

Certain Continuum GRC websites maintain their own privacy policies that apply to personal information collected via those sites and these policies may be accessed through those websites.

Personal information obtained from or relating to clients or former clients is further subject to the terms of any specific privacy notice provided to the client, any contractual arrangements with the client, and applicable laws and professional standards.

Internet privacy policy

The data controller collecting the data described herein is the Continuum GRC firm in the visitor's country or otherwise the Continuum GRC firm to which the visitor has submitted their data. Personal data collected by Continuum GRC may be transferred to other individual Continuum GRC firms, which are member firms of the worldwide Continuum GRC organization, where it is necessary to meet the purpose for which the visitor has submitted the information. By submitting data on Continuum GRC's website, the visitor is providing explicit consent to trans-border transmission of data collected on the website for the fulfillment of their voluntary requests.

Data collection

We collect only personally identifiable information that is specifically and voluntarily provided by visitors to Continuum GRC's website. Continuum GRC receives limited identifiable information, such as name, Title, company address, email address, telephone and fax numbers, IP addresses, and other analytical information from website visitors. Typically, identifying information is collected to:

  • Register for certain areas of the site
  • Utilize our proprietary applications
  • Inquire for further information
  • Distribute requested reference materials
  • Submit resumes
  • Understand visitor site usage

Demographic information, including gender and occupation, is not actively sought but may be submitted when a visitor responds to an online job application. It is Continuum GRC's policy to limit the information collected to only the minimum information required to complete a visitor's request. In any instance where non-mandatory information is sought, the website visitor will be notified of this at the point of collection.

Although most publications are provided as downloads, visitors may also have the opportunity to purchase Continuum GRC publications either online, or by calling toll-free numbers to our fulfillment houses. We will collect order information and a customer's credit card information, where applicable, in order to facilitate shipment and payment for the publication.

Visitors are also able to send email through the site. Their messages will contain the user's screen name and email address, as well as any additional information the user may wish to include in the message. Because we use the website as a recruiting tool, a visit to the website may also result in the user sending a resume to an individual within Continuum GRC.

Continuum GRC's intention is not to seek any sensitive information through our website unless legally required for recruiting purposes. Sensitive information includes a number of types of data relating to: race or ethnic origin; political opinions; religious or other similar beliefs; trade union membership; physical or mental health; sexual life or criminal record. We suggest that you do not provide sensitive information of this nature. If you do wish to provide sensitive information for any reason, Continuum GRC accepts your explicit consent to use that information in the ways described in this privacy statement or as described at the point where you choose to disclose this information.

Use of data

A user may choose to provide personal information in the following examples:

  • Order publications
  • Submit resumes or work history information
  • Participate in "join our mailing list" initiatives
  • Participate in bulletin boards, discussion or message forums
  • Contact us for further information
  • Enter Quick Surveys, Quiz's or Benchmarking Surveys
  • Register for events and conferences
  • Register for premium online services

If you would like to find out more about the different categories of information collected, please review the data collection section.

Information attained by the site is used only for the intended purpose stated at the time that the information is collected. This data is not shared with other entities in the network for secondary or unrelated purposes, or shared with a third party unless otherwise disclosed at the point of collection. If there is an instance where such information may be shared, the visitor will be asked for permission beforehand.

Continuum GRC makes every practical effort to avoid excessive or irrelevant collection of data. If a visitor believes the site has collected excessive information, we encourage the visitor to contact us at legal@ContinuumGRC.com to raise any concerns.

Except for the mailing list initiative described above, where visitors explicitly choose to receive specific Continuum GRC marketing or other materials, Continuum GRC may at times use this data collected from our websites to facilitate marketing activities.

Cookies and log files

Cookies may be used on some pages of our site. "Cookies" are small text files placed on your hard drive that assist us in providing a more customized website experience. For example, a cookie can be used to store registration information in an area of the site so that a user does not need to re-enter it on subsequent visits to that area. It is Continuum GRC's policy to use cookies to make navigation of our websites easier for visitors and to facilitate efficient registration procedures. Site statistics are compiled by third parties, and therefore your IP address will be passed to third parties for statistical reporting only.

If you are concerned about cookies, most browsers permit individuals to decline cookies. In most cases, a visitor may refuse a cookie and still fully navigate our websites however other functionality in the site may be impaired. After the termination of the visit to our site, you can always delete the cookie from your system if you wish.

In order to properly manage our website we may anonymously log information on our operational systems, and identify categories of visitors by items such as domains and browser types. These statistics are reported in the aggregate to our webmasters. This is to ensure that our website presents the best web experience for visitors and is an effective information resource.

Third parties

It is Continuum GRC's policy only to disclose information to third parties under the following circumstances:

  • As required by law through subpoena, search warrant, or other legal process
  • When explicitly requested by a visitor
  • When required to deliver publications, subscriptions, or reference materials requested by a visitor
  • When required to facilitate conferences or events hosted by a third party
  • When required to maintain the site's technical health, performance, and functionality.

Continuum GRC's policy is to disclose information to third parties upon visitors submitting their requests (e.g., when ordering a publication, we display the party fulfillment the order).

Some Continuum GRC publications are listed under Amazon.com in order to make it easier for visitors to purchase books online. Visitors may search the Continuum GRC list of publications and then click a link to connect to the Amazon.com site in order to make a purchase. The only information passed to the Amazon.com site is the publication that has been selected. A visitor will then be required to register at the Amazon.com site in order to purchase the publication. We recommend that you visit Amazon's privacy policy to learn more about their practices.

Continuum GRC websites do not collect or compile personally identifying information for dissemination or sale to outside parties for consumer marketing purposes, or host mailings on behalf of third parties. However, in compliance with GDPR, the California Consumer Privacy Act (CCPA), and other consumer privacy-focused laws, consumers may inquire using the form below to make inquiries about opt out options and data sharing.

Third-party links

There are several places throughout http://ContinuumGRC.com corporate site and associated company sites that may link to other websites that do not operate under Continuum GRC's privacy practices. When you link to other websites, Continuum GRC's privacy practices no longer apply. We encourage visitors to review each site's privacy policy before disclosing any personally identifiable information.

Data retention

Some of the information we receive is not retained. For example, we usually do not keep mailing addresses for white papers. Contact information about visitors (such as information generated through registration for access to areas on the site) will be kept as long as the information is required to completely service the contact request or until a user requests that we delete that information. Mailing list information, discussion posts, and emails are kept for only the period of time considered reasonable to facilitate the visitor's requests. Resumes are disposed of when they are either no longer under consideration or are considered dated by our Human Resources departments.


As a policy, visitors are not required to register to gain access to areas of the Continuum GRC websites. In certain cases in the future, as your Continuum GRC website experience expands, we may require visitors to register in order to obtain a user ID and password for authentication and secure access to a transaction or certain business confidential or proprietary information services on premium websites.

Personally identifiable information provided to Continuum GRC through its website is provided voluntarily by visitors. Should visitors subsequently choose to unsubscribe from mailing lists or any registrations, we will provide instructions on the appropriate website area or in communications to our visitors; or a visitor may contact the webmaster of the appropriate site e.g., webmaster@ContinuumGRC.com.


Each visitor has the right of access to personal data they have submitted through the websites to Continuum GRC.

User updates of information should be handled by going back through the registration process. Inquiries about the accuracy of identifying information previously submitted to Continuum GRC through its website, or requests to have outdated information removed, should be directed to: webmaster@ContinuumGRC.com. Continuum GRC is committed to providing reasonable and practical access to visitors to allow them the opportunity to identify and correct any inaccuracies. When requested and practical, Continuum GRC will delete identifying information from current operational systems.

When personally identifiable information is retained, Continuum GRC assumes responsibility for keeping an accurate record of the information once a visitor has submitted and verified the data. Continuum GRC does not assume responsibility for verifying the ongoing accuracy of the content of personal information. When practically possible, if Continuum GRC is informed that any personal data collected through a website is no longer accurate, Continuum GRC will make appropriate corrections based on the updated information provided by the authenticated visitor.


Continuum GRC has implemented generally accepted standards of technology and operational security in order to protect personally identifiable information from loss, misuse, alteration, or destruction. All Continuum GRC employees follow a network-wide security policy. Only authorized Continuum GRC personnel are provided access to personally identifiable information and these employees have agreed to ensure confidentiality of this information. Continuum GRC's policy is to use secure socket layer technology for the protection of credit card information submitted through web forms. This policy is also required for any fulfillment agents of our firms.


Continuum GRC understands the importance of protecting children's privacy, especially in an online environment. The Continuum GRC sites covered by this privacy statement are not intentionally designed for or directed at children 13 years of age or younger. It is Continuum GRC's policy never to knowingly collect or maintain information about anyone under the age of 13.


Continuum GRC reserves the right to modify or amend this Statement at any time. The effective date will be displayed at the beginning of this statement. To keep visitors informed, Continuum GRC will notify users of changes to our Privacy Statement by prominently identifying the alteration for a period of not less than two weeks on our global home page at https://ContinuumGRC.com.