1. Introduction
At CyberVault ("we", "our", or "us"), we take your privacy seriously. This Privacy Policy explains how we collect, use, process, and protect your personal data when you use our cybersecurity services, visit our website, or interact with our support and sales teams.
This policy applies to all individuals located within the European Economic Area (EEA) and the United Kingdom, and is designed to comply with the General Data Protection Regulation (EU) 2016/679 and applicable UK data protection laws.
2. Information We Collect
We only collect personal data that is necessary, relevant, and limited to what is required to deliver our services. This includes:
- Identity & Contact Data: Name, email address, phone number, job title, and company name.
- Technical & Usage Data: IP address, device identifiers, browser type, log files, and platform interaction metrics required for threat monitoring and service optimization.
- Transaction & Billing Data: Payment information, invoicing addresses, and contract records (processed securely via PCI-DSS compliant providers).
- Security & Compliance Data: Network configuration details, asset inventories, vulnerability scan results, and incident reports necessary for security operations.
- Communication Data: Records of support tickets, meeting notes, and correspondence related to service delivery.
3. Legal Basis & How We Use Your Data
We process personal data only when we have a lawful basis under GDPR. The primary bases include:
- Contractual Necessity: To fulfill cybersecurity agreements, provide threat detection, incident response, and compliance services.
- Legitimate Interests: To improve our platform security, prevent fraud, analyze usage trends, and maintain network integrity (balanced against your rights).
- Legal Obligation: To comply with cybersecurity regulations, tax laws, and lawful government requests.
- Consent: For marketing communications, newsletter subscriptions, and non-essential cookies, which you may withdraw at any time.
We use your data to monitor threats, generate security reports, manage client accounts, communicate service updates, and ensure platform reliability.
4. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or to comply with legal and regulatory requirements:
- Active Clients: Data retained for the duration of the service agreement plus 24 months for support and audit purposes.
- Contract & Billing Records: Retained for 7 years to comply with financial and legal obligations.
- Marketing Communications: Retained until you unsubscribe or 24 months of inactivity.
- Security Logs & Threat Intelligence: Anonymized and aggregated for threat modeling; personally identifiable data is deleted within 90 days unless required for incident response.
Upon expiration, data is securely deleted or permanently anonymized using industry-standard cryptographic erasure.
5. Your Rights Under GDPR
You have the following rights regarding your personal data. To exercise any of these rights, contact our Data Protection Officer (DPO) using the details in Section 9.
π Right of Access
Request a copy of the personal data we hold about you and information about how it is processed.
βοΈ Right to Rectification
Request correction of inaccurate or incomplete personal data.
ποΈ Right to Erasure
Request deletion of your data when it is no longer necessary for the original purpose.
βΈοΈ Right to Restriction
Request temporary suspension of processing while accuracy or lawful basis is verified.
π¦ Data Portability
Receive your data in a structured, machine-readable format and transfer it to another controller.
π« Right to Object
Object to processing based on legitimate interests or direct marketing at any time.
π Withdrawal of Consent
Revoke consent for marketing or optional data processing without affecting contractual services.
βοΈ Automated Decision-Making
Right not to be subject to decisions based solely on automated processing that produce legal effects.
We will respond to all valid requests within 30 days, unless complex circumstances require a lawful extension.
6. Data Security & Protection
CyberVault implements enterprise-grade technical and organizational measures to safeguard personal data against unauthorized access, alteration, disclosure, or destruction. These include:
- End-to-end AES-256 encryption for data at rest and TLS 1.3 for data in transit
- Zero-trust network architecture with continuous authentication and micro-segmentation
- Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege
- 24/7 Security Operations Center (SOC) monitoring and automated threat containment
- Regular penetration testing, vulnerability assessments, and third-party security audits
- Employee security awareness training and strict non-disclosure agreements
Despite these measures, no transmission over the internet or electronic storage is 100% secure. We continuously improve our security posture to mitigate emerging threats.
7. Third-Party Processors & International Transfers
We engage carefully vetted third-party service providers to assist with cloud hosting, payment processing, email delivery, and analytics. All processors are bound by strict Data Processing Agreements (DPAs) compliant with GDPR Article 28.
Where data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place, including:
- European Commission Standard Contractual Clauses (SCCs)
- EU-US Data Privacy Framework certification where applicable
- Data residency options for regulated industries
- Regular compliance audits and security assessments of third parties
9. Contact & Data Protection Officer
For privacy inquiries, data subject requests, or complaints, please contact our DPO:
CyberVault Inc.
Email: dpo@cybervault.com
Address: 100 Cybersecurity Blvd, Suite 400, San Francisco, CA 94105
Phone: +1 (800) 555-SECURE
You also have the right to lodge a complaint with a supervisory authority in your jurisdiction, such as the UK Information Commissioner's Office (ICO) or your national Data Protection Authority.
10. Policy Updates
We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. Significant updates will be communicated via email, platform notifications, or a prominent banner on our website. Your continued use of our services constitutes acceptance of the updated policy.