Privacy Policy
Last updated 15/07/2024
This Privacy Notice (“Notice”) describes how CYJAX collects, uses, maintains and discloses information from our website and platforms. If you have any comments or concerns about this Notice, please contact us using the details at the end of it.
This notice is split into the following sections:
Section A – CYJAX services, platform and website
Section B – Candidates
Section C – Investors/Shareholders
A. CYJAX services, platform and website
CYJAX is a Threat Intelligence company that provides businesses with Threat Intelligence and alerting. We collect publicly available information from varying sources, enabling us to provide consultancy and advisory services to clients about the risks they face, and to help ensure their critical assets are secured. We do this through technologies designed to perform both automated and manual sourcing of threat intelligence information, alongside advanced analytic features that generate outputs in the form of alerts, reports or data feeds to enable business entities to conduct analysis of the threats they face.
1. Collection and use of personal data
We collect and use personal data for several purposes:
1.1 Information provided by you
Information provided by you is collected and used:
- to fulfil a contract that we have entered with you or with the entity that you represent. In these circumstances it may be your entity, rather than you, that has provided us with your personal data.
- to provide you with information that you have requested or that we think may be relevant to a subject you have demonstrated an interest in.
- to initiate a contract and/or commercial transaction with you or the entity you represent for the purchase of one of our products.
- to ensure the security and safe operation of our websites and underlying business infrastructure and understand visitors’ usage of our website.
- to manage any communication between you and us.
1.2 Technical information
To ensure that each visitor to any of our websites can use and navigate the site effectively, we collect the following:
- technical information, including the IP (Internet Protocol) address used to connect your device to the Internet.
- your login information, browser type and version, time zone setting, browser plug-in types and versions.
- operating system and platform.
- information about your visit, including the URL (Uniform Resource Locators) clickstream to, through, and from our site.
Our Cookies Policy is available here.
As a visitor, you do not need to submit any personal information to use our website. Certain areas of the site allow you to provide us with personal information for purposes such as communicating with us, gaining access to view protected and secured content, or requesting communications about specific areas of interest.
1.3 Information we obtain from third party sources
Marketing: We may receive information from certain third-party sources such as social media platforms, event sponsors or commercial lead sources/lead generation companies, other data providers and our marketing partners. We may collect the following:
- your business contact information – your name, email address, telephone number
- Your role and interest – company name and department/job role and interest in our product.
Lead generation: We periodically appoint agents to conduct lead generating and marketing activities on our behalf. Such activity may result in the processing of personal information where we believe we have a legitimate interest in marketing our goods and services to existing and prospective customers and those who have expressed an interest in our services.
We, or our carefully selected third-party service providers, will only use this information to contact you by email or by phone to:
- provide you with information about our products and services.
- keep you up to date with our latest service announcements, updates or offers.
- respond to your enquiries.
- invite you to view or discuss our products and services.
If we send you invitations, alerts or other sales and marketing communications, we will provide you with the ability to opt out/unsubscribe from receiving future sales and marketing communications. The ability for our product users to unsubscribe from marketing communications does not mean that users unsubscribe from formal notices concerning the legal or contractual communications. We will never:
- sell, lease, your information or otherwise make available to another company for their marketing purposes. It will only be shared with our marketing partners for our marketing activities.
- make your email address visible to other subscribers. All emails will be sent with technology that will not disclose your email address.
We use HubSpot for customer relations and marketing activities. Their data privacy policies can be found at legal.hubspot.com/privacy-policy.
Website analytics and protection: When you visit our website, we use Google Analytics to collect standard internet log information and details of visitor behaviour patterns and Cloudflare to help maintain the security and performance of our website. This information does not identify visitors and we ensure that no method of collection would allow the identities of those visiting our website to be revealed.
1.4 In the event that our business is sold
If CYJAX or the majority of its assets are acquired by somebody else, your personal information will be transferred to the buyer.
2. Lawful basis and purpose for processing personal data
When you supply any personal information to us, we have legal obligations towards you in the way we use it. We will always ensure that whenever personal data processed, industry standards and legal requirements are maintained.
The table below describes the various forms of personal data we collect and the lawful basis for processing this data. We have processes in place to make sure that only those people in our organisation who need to access your data can do so. Several data elements are collected for multiple purposes, as the table below shows.
Purpose for collection | Data collected | Reason for collection | Information category | Lawful basis for processing | Data shared with | Retention period |
---|---|---|---|---|---|---|
Fulfilment information Threat Intelligence Service Provision |
Name, company name, job title and email address | To create and provide access to the Digital Threat Intelligence Platform | User credentials | Contractual Performance | Internally, email sending platform, and Business entity you are a member of | 1 month following end of contract |
Prevent & mitigate cyber threats | *Name, telephone, address/location, and email addresses, contact details, aliases, social media accounts, financial information e.g. credit card information, photographs, DOB | * To provide Threat Intelligence services to clients to enable risk management to their business and potentially fraudulent activity | Personal data – Open source on internet and dark net | Contractual Performance, Public interest & Legitimate Interests | Internally and with clients | up to 4 years |
Transactional/invoice Information | Name, and physical business: address, email address, telephone number, bank account & details / payment information | To process payments and associated documentation for the Services provided to your organisation and to ensure any issues can be dealt with. For accounting, VAT and taxation purposes should any contractual legal claim arise | Transaction/ invoice details | Contractual performance Statutory obligation Legitimate interest |
Internally & Professional advisors | 7 Years |
Security and analytics | Technical information,IP addresses, login information (where applicable), | To protect our websites and infrastructure from attacks and threats. To enable trouble shooting. To collect statistics of website usage | Security information | Legitimate interest | Internally | 18 months |
Analytics | Technical information, IP addresses, login information (where applicable), | To understand user behaviour on the website. To enable trouble shooting. To collect statistics of website usage | Analytic information | Legitimate interest | Internally | 12 months |
Communications and account servicing | Names, contact details | To communicate with you regarding the service and new products. | Personal data -Contact information | Contractual Performance | Internally and CRM provider | 3 years following end of contract |
Marketing and sales | Name, contact details | To communicate with you regarding our services and provide articles that we believe will be of interest with you | Personal data – Contact information | Legitimate Interest | Internally, CRM provider and trusted third parties | 2 years |
*We collect open-source information published on the internet and darknet in order to supply our clients with threat intelligence services. As part of this we may capture any information relating to individuals which has been made publicly available. However, we do not specifically target the collection of information relating to members of the public. The processing of this information enables our clients to be:
- aware of vulnerabilities or exploits targeting them, ensuring they keep their networks secure
- aware of data breaches either directly impacting them or third parties
- protecting their critical assets
- preventing PII-enabled attacks against them or their customers
- aware of exposure of employee, or customer information
- aware of direct threats to them or third parties
Due to the volume of data CYJAX is collecting for this purpose, we rely on exemptions in Articles 14 a) and b) of the General Data Protection Regulation (GDPR) as it cannot feasibly be verified whether individuals are already aware that their personal data has been exposed, and it would involve a disproportionate effort to notify them and ask their consent for storing this data. CYJAX’s processing of this data does minimise the threat to them and potentially mitigate against PII-related attacks that could be carried out against them.
2.1 If our business is sold
We will share your information with the purchaser of our business and your personal information will be shared for this purpose. In this instance, we have a legitimate interest to ensure that our business can continue for the buyer. If you object to the use of your personal information in this way, the buyer will not be able to provide the services you have subscribed to. In some circumstances we will need to share your personal information if we are under a legal obligation to do so.
3. Security
CYJAX is dedicated to ensuring that all information is protected against unauthorised access, processed appropriately, and held securely in accordance with the UK and EU General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Our ISMS (information security management system) is certified to ISO/IEC 27001, demonstrating that we have the appropriate Framework in place to ensure that all our information assets and networks are secure.
All data is encrypted both in transit, end-to-end and at rest using AES-258.
4. Storage
We will make every practical effort to store and process your information in the country in which it was submitted. However, some of our third-party suppliers may be based outside the UK and European Economic Area (EEA), so there may be instances when data is stored and transferred outside the UK or EEA. In the eventuality that data is transferred outside these areas, we have the following safeguards in place:
- the country or relevant territory has an adequate level of protection as recognised by the Information Commission Office
- specific contracts approved by the appropriate Commission which give your personal information the same protection it has as if it stayed in the UK or EEA along with effective data controls
- the third-party supplier has met our data security standards and is compliant with our information management security framework
- all data is encrypted both in transit, end-to-end and at rest
- data is stored within defined retention periods and is regularly reviewed
4.1 Third parties and sub-processors
We may disclose information to our carefully selected third parties to provide elements of our services and management of these services, such as hosting, invoicing system administration, file management. If the third-party processes data on our behalf, we will ensure that the processor only has the information they require to perform their specific service and is only entitled to process personal data to our specific instructions.
If we need to transfer your personal information to another organisation for processing in countries that are not located in the United Kingdom, European Economic Area or listed as ‘adequate’ by the Information Commissioner’s Office, we will only do so if we have sufficient protections in place to safeguard information, including, where appropriate, contractual terms approved by the relevant regulatory authorities
5. Sharing
Any information you provide to CYJAX, or that CYJAX collects, will only be used within CYJAX. It will not be shared with any third parties for commercial gain or sold.
The only other instances in which we would share this information is where we are obliged or permitted to by law, or consent has been given.
6. Your rights in relation to personal data
Under data protection laws in the European Union and the UK, you have certain rights in relation to your personal information. You have the right:
- to be informed about the collection and the use of their personal data
- to access personal data and supplementary information
- to have inaccurate personal data rectified, or completed if it is incomplete
- to erasure (to be forgotten) in certain circumstances
- to restrict processing in certain circumstances
- to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
- to cease/object to processing in certain circumstances
- rights in relation to automated decision making and profiling
- to complain to the Information Commissioner
- to withdraw your consent at any time (where relevant) by contacting [email protected]
A full list of your rights under the General Data Protection Regulation (GDPR) is available on the Information Commissioner’s Office (ICO) website.
We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal information involved, there may be legal reasons why we cannot grant your request. If this is the case, we will write to you to explain the reasons why.
7. Accessing, rectifying, restricting, objecting to processing of, or erasure of your personal information
To exercise your right to access, rectify, restrict, object to processing of, or erase the personal information CYJAX holds about you, please contact our Data Privacy Manager at privacy[at]cyjax.com or, if you are based in the EU or our EU Representative (details below).
Requests will be acknowledged within three working days, with the final response and disclosure of information (subject to exemptions) within 30 calendar days.
A ‘cease processing request’ from an individual will be acknowledged immediately with an automatic email response stating that CYJAX intends to comply with the request.
For information on the Privacy and Electronic Communications (EC Directive) Regulations 2003, UK General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Information Commissioner’s Office, please follow this link: https://ico.org.uk/.
CYJAX is registered with the United Kingdom Information Commissioner’s Office (ICO) under reference ZA053004, as required by UK (United Kingdom) legislation.
7.1 EU (European Union) Representative
As we do not have an establishment in the European Union (“EU”), we have appointed a representative based in Ireland, who you may contact if you are located in the EU to raise any issues or queries you may have relating to our processing of your Personal Data and/or this Privacy Notice. Our EU representative is Data Protection Limited, located at 2 Pembroke House, 28-32 Upper Pembroke Street, Dublin, Ireland D02 EK84. Our EU representative can be contacted directly on 00 353 1 447 0402 or at [email protected].
7.2 Disclaimer
As far as is possible, CYJAX will ensure that information provided on this website is accurate. We cannot accept any liability whatsoever for omission or error. Equally, as we regularly virus-check materials, we cannot accept any responsibility for any disruption or damage that may occur during use of this website.
Links to other websites included on this website do not imply any endorsement, validation, or responsibility by CYJAX as to the content or privacy policies of such sites. We cannot guarantee that these links will work all the time and we have no control over the availability of the linked pages.
B. Candidates’ privacy notice
CYJAX respects your privacy and is committed to protecting your personal data. When you apply for a position at CYJAX we process your data and are the data controller. This means that we are responsible for deciding how we hold and use your personal data.
This notice explains how we obtain and manage your data during the recruitment and selection process whether as an employee, consultant or contractor.
8. Candidates: Collection of personal data and use
In connection with your application, most of the information will be provided by you or someone on your behalf with your knowledge, such as a recruitment agent or a referee. The information we will collect, use and store will usually include:
- Contact Information: Name, address, email address, phone number.
- CV and Application Details: employment history, education, qualifications, skills, professional memberships, and other relevant information provided in your application.
- Interview Information: Notes and assessments from interviews or other assessments.
- References: Information provided by your referees.
9. Candidates: Lawful basis and purpose for processing personal data
We process your personal data for the following purposes:
- Recruitment and Selection: Assessing your suitability for employment with our organisation, including screening, shortlisting, interviewing, and making hiring decisions.
- Communication: Contacting you regarding your application, scheduling interviews, providing updates, and notifying you of future job opportunities if applicable.
- Carry out background and reference checks including criminal convictions (after acceptance of a job offer).
- Compliance: Complying with legal obligations, internal policies and industry standards.
Our legal basis for processing this information is to assess your suitability for a role that you have applied for and as such we rely on Article 6 (1) (b) of the UK GDPR, which relates to processing necessary to perform a contract or to take steps at your request, before entering into a contract.
If you provide any information about reasonable adjustments you require under the Equality Act 2010, the lawful basis we rely on for processing this information is Article 6 (1) (c) to comply with our legal obligations under the Act.
9.1 If you fail to provide personal data
If you fail to provide personal data when requested, which is necessary for us to consider your application (such as evidence of qualifications or work history), we may not be able to process your application further. For example, if we require references for this role and you fail to provide us with relevant details, we will not be able to take your application further.
9.2 Sensitive personal data
We will use your sensitive personal data only insofar as we are permitted by law to do so:
- We will use data about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.
- We will use data about your nationality or ethnicity to assess whether a work permit and a visa will be necessary for the role.
10. Candidates: Retention of data
We will retain your personal data for a period of 12 months (If you are unsuccessful). If you are successful, we will retain your information in line with our retention policy, which will be accessible in the CYJAX Intranet site.
We retain your personal data for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. We further retain such personal data in case a similar role becomes vacant for which you will be a fitting candidate. After this period, we will securely destroy your personal data in accordance with our data retention policy.
11. Candidates: Security
Please see section 3.
12. Candidates: Storage
Please see section 4.
13. Candidates: Sharing
We will only share your data internally (with staff who need the information to assess your application) and with third parties for the purposes of progressing your application, confirming your suitability for employment following a job offer and preparing for the commencement of your engagement with us. The third parties may include your recruitment agent or any job advertising platform through which you apply to us, and any party necessary for pre-employment screening.
CYJAX or its service providers share your personal data with third parties when:
- required by law.
- requested by a regulator.
- necessary to manage its working relationship with you/process your application.
- it is in the public interest to do so.
- necessary for fraud and data error investigations.
This may involve sharing special category personal data if you chose to provide it.
The third parties include the following service providers:
- Adobe – Purpose – contract e-signing
- M365 – Purpose – document storage and email
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
14. Candidates: Your rights in relation to personal data
Please see section 6
15. Candidates: Accessing, rectifying, restricting, objecting or erasure of your personal information
Please see section 7
C: Shareholders/Investors’ privacy notice
CYJAX respects your privacy and is committed to protecting your personal data. When you invest in CYJAX we process your data and we are the data controller. This means that we are responsible for deciding how we hold and use your personal data.
This notice explains how we obtain and manage your data.
16. Shareholders/Investors: Collection of personal data
In connection with your shareholding/investment, most of the information will be provided by you or someone on your behalf with your knowledge, such as a financial/investment agent. The information we will collect, use and store will usually include:
- Contact Information: Name, address, email address, phone number.
- Identity information.
17. Shareholders/Investors: Lawful basis and purpose of processing personal data
We process your personal data for the following purposes:
- Communication: Contacting you regarding your investment/shareholding, providing updates, reports, meetings and information you have requested.
- Compliance: Complying with legal obligations, policies, and industry standards, e.g. Know your customer checks.
- To address any queries, you raise with us.
Our legal basis for processing this information is to fulfil a contract with you and to complete required know your customer checks as required by law and as such we rely on Article 6 (1) (b) of the UK GDPR, which relates to processing necessary to perform a contract or to take steps at your request.
When you provide information to enable the completion of know your customer checks, the lawful basis we rely on for processing this information is Article 6 (1) (c) to comply with our legal obligations under the Act.
18. Shareholders/Investors: Retention
We retain your personal data for as long as reasonably required for the reasons explained and to meet legal, regulatory, tax or accounting needs.
19. Shareholders/Investors: Security
Please see section 3.
20. Shareholders/Investors: Storage
Please see section 4.
21. Shareholders/Investors: Sharing
We will only share your data internally and with third parties for the purposes of managing your shareholding and/or investment. The third parties may include your financial/investment agent.
CYJAX or its service providers share your personal data with third parties when:
- required by law.
- requested by a regulator.
- necessary to manage its working relationship with you/process your investment.
- It is in the public interest to do so.
- necessary for fraud and data error investigations.
- necessary for financial/ investment purposes.
The third parties include the following service providers:
- Adobe – Purpose – contract e-signing
- M365 – Purpose – document storage and email
All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
22. Shareholders/Investors: Your rights in relation to personal data
Please see section 7.
23. Shareholders/Investors: Accessing, rectifying, restricting, objecting or erasure of your personal information
Please see section 8.