Privacy and Cookie Policy

The following statement explains our policy regarding the personal information Cyjax Limited ("Cyjax") collects about you.

Last updated: 24.05.2018

Introduction

This policy covers our use of personal information that Cyjax collects when you use this website, our blog, or and when you are subscribed to our services.

Cyjax is a Cyber Threat Intelligence company. The purpose of our service is to collect publicly available information from varying sources enabling us to provide consultancy and advisory services to clients about the risks they face to ensure their critical assets are secured.

We do this through a host of technologies designed to perform both automated and manual sourcing of threat intelligence information, alongside advanced analytical features that enable business entities to conduct analysis and generate outputs in the form of alerts, reports or data feeds.

Cyjax is dedicated to ensuring that all personal data is handled, stored and processed in compliance with statutory and regulatory requirements. Cyjax is ISO27001 certified demonstrating that it has implemented industry recognised standards to ensure that information is protected.

Statutory and Regulatory Requirements

Cyjax stores and processes all its information in compliance with the legislation outlined below.

Cyjax is registered with the United Kingdom Information Commissioner’s Office under reference ZA053004 as required by UK legislation.

Information Collection and Processing

All our information is drawn from publicly available sources and is collected wholly for the purposes of research and prevention and detection of threat intelligence or crime.

We may process your personal information for carefully considered and specific purposes which are in our interests and enable us to enhance the services we provide and also benefit our customers. These include the following:

Processing personal information also enables us to meet our contractual obligations we have with our clients, ensuring they are:

The information we provide is only as accurate as the original source and is reported objectively, without favour or bias. The management of Cyjax has no role in promoting any related or other cause.

What information do we collect?

We collect information from numerous publicly available sources including, but not exclusive to, information about individuals, organisations, financial information, data leaks and vulnerabilities to ensure our clients are aware of threats facing them and are equipped with the data required to protect their critical assets.

Cyjax processes potential customer information with the with the legitimate interest of pursuing business leads and relationships. You may be asked to submit personal information about yourself (e.g. name and email address) in order to contact us. By entering your details in the fields requested, you have given Cyjax consent to provide you with the information you require by the method of your choice. Whenever you provide such personal information, we will treat that information in accordance with this policy. When using your personal information we will act in accordance with current legislation and aim to meet current Internet best practice.

If you provide the email address of a third party to us we understand that you have permission to use this email address.

The Cyjax website and blog do not automatically capture or store personal information, other than logging personal information provided, the user's IP address and session information, such as the duration of the visit and the type of browser used. This is recognised by the web server and is only used for system administration and to provide statistics, which Cyjax compiles to evaluate site use. Please see our Cookie Policy below.

How we use and protect information

When you supply any personal information to us we have legal obligations towards you in the way we use this data. We must collect the information fairly, that is, we must explain how we will use it and tell you if we want to pass the information on to anyone else.

Sharing

Any information you provide to Cyjax, or Cyjax collects, will only be used within Cyjax for direct marketing purposes, not shared with any third parties for commercial gain or sold.

The only instance in which we would share this information is where we are obliged or permitted by law, or consent has been given, not for marketing purposes.

If Cyjax becomes involved in a merger or acquisition or decides to sell some of its assets, which may include information assets, we will ensure the confidentiality of your information.

Storage

Cyjax is dedicated to ensuring that will ensure that all information is protected against unauthorised access, processed appropriately and held securely in accordance with the General Data Protection Regulation (GDPR).

We are ISO 27001 certified, thereby demonstrating that we have the appropriate Information Security Management Framework in place to ensure that all our information assets and networks are secure. We review our data collection, storage and processing procedures regularly at the Information Management Security Forum to ensure we are adhering to our Privacy Policies, maintaining the confidentiality and integrity of information and continuing to have a lawful basis for processing this information in accordance with Article 6 of GDPR. These six principles can be viewed here.

We store our information on dedicated servers in an N+2 facility that operates a strict physical access policy and maintains logical separation controls ensuring the confidentiality and integrity of Cyjax information. The data centre has a second geographically located N+2 facility that provides failover services to ensure availability of the information is maintained.

All communication and data is encrypted using end-to-end encryption.

Information may be stored outside the country that it was submitted, in accordance with this Privacy Policy and the controls and regulations outlined under our Information Security Management Framework. We can ensure adequate protection is in place to keep all our information assets secure and in accordance with the laws and regulations outlined below.

We store information we collect in adherence with defined retention periods that are regularly reviewed.

Processing

We will always ensure that whenever personal data is processed industry standards are maintained.

3.2. Customers and Potential Customers

The processing of personal information that our clients have supplied to us is necessary to meet the terms of our contracts and therefore our clients have given their consent.

Cyjax maintains pipeline information with the purpose of direct marketing. Where consent has notbeen given, Cyjax processes this information and sends you marketing emails with a legitimate business interest.

Every email we send to you for marketing purposes will also contain instructions on how to unsubscribe from receiving them. This personal data is collected in a number of ways:

The first two require the individual or company to provide an email address, name of the individual and company and in some instances a contact telephone number.

Cyjax has a Legitimate Interest in processing this data, which includes the following reasons:

A Legitimate interest Assessment has been completed and is reviewed annually. Cyjax considers that the processing of this personal data can be reasonably expected due to the consent given and is proportionate to both Cyjax’s business interest and the expressed interest of the individual.

Cyjax understands that whereas the above legal bases for processing applies to corporate email addresses and subscribers, the processing of private email addresses under the Privacy and Electronic Communications Regulation (PECR) must strictly rely on consent. Individuals who have provided Cyjax with a private email address will be contacted and provided with the option to ‘opt out’ of receiving event invitations and future communications.

A ‘cease processing request’ from an individual will be acknowledged immediately. The individual will receive an automatic email response stating that Cyjax intend to comply with the request.

Cyjax reviews all pipeline information every eighteen months.

3.2.2 Members of the Public

Cyjax’s business purpose is to provide our clients with threat intelligence notifying them of risks to their critical assets, including exposure of customer, staff or supplier credentials and assets which includes personal data and at times special category data. When processing this type of personal data Cyjax is processing in accordance with the purpose outlined in Article 6 (b); to meet contractual obligations.

Cyjax relies on the further legal bases of Articles 6 (e) and (f) which relate to the processing being necessary both to, ‘perform our official function’ and having a ‘Legitimate Interest’ for processing personal data, both of which apply.

The Cyjax purpose for processing this personal data is demonstrated through identifying threats to our clients, their third-party suppliers, customers and their asset. This also assists with the prevention and detection of fraud and identifying threats to information security in the public interest. Cyjax also has a legitimate interest in disclosing information about possible criminal acts or security threats to the authorities.

On occasion clients may request profiles on individuals that pose a threat to their organsiation or on individuals within their organisation to identify threats, such as exposure of sensitive information or assets which could be used to leverage attacks against them. Cyjax have carried out a Data Protection Impact Assessment as outlined in Recital 91 (GDPR) to ensure that every step to mitigate risk and privacy concerns to the individuals have been considered and where possible mitigated.

Due to the large amount of data Cyjax is collecting for this purpose, Article 14 (5) (b) and in an unknown number of instances 14 (5a) applies:

Article 14 GDPR

Paragraphs 1 to 4 shall not apply where and insofar as:

  1. the data subject already has the information;
  2. the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;

It cannot feasibly be verified whether individuals are already aware that their personal data has been exposed and it would involve a disproportionate effort to notify individuals and ask their consent for storing this data. Similarly, Cyjax cannot verify if this data contains any PII relating to a child data subject. Cyjax's processing of this data does however minimise the threat to them and potentially mitigate against PII-related attacks that could be carried out against them, Cyjax clients and the wider population.

Everyone has the right to object to this processing and if you wish to do so please contact us using privacy@cyjax.com.

Contacting You

We will not contact you for promotional purposes, such as notifying you of improvements to the service or new services, unless you specifically agree to be contacted for such purposes at the time you submit your information on the site, or at a later time if you sign up specifically to receive such promotional services.

Access to your personal information

You have the right to request a copy of the personal information Cyjax holds about you and to have any inaccuracies corrected by requesting a Subject Access Report (SAR).

Requests for SARs will be acknowledged within three working days, with the final response and disclosure of information (subject to exemptions) within 40 calendar days. If you wish to request a SAR please contact us at privacy@cyjax.com.

Updating your personal information

You have the right to update or delete the personal information Cyjax holds about you. Please contact us at privacy@cyjax.com.

A ‘cease processing request’ from an individual will be acknowledged immediately. The individual will receive an automatic email response stating that Cyjax intend to comply with the request.

Internet Log Information

What is an IP address?

Internet Protocol (IP) addresses are unique identifiers used to facilitate actions on the internet by being assigned to individual devices, websites and anything connected to the internet. Under GDPR ‘Personal Data’ refers to “any information relating to an identified/identifiable natural person,” which includes IP addresses.

We have a legitimate business interest to collect IP addresses and store them for 30 days for the following reasons:

In no instances will these will be used to identify you.

Cookie Policy

How Cookies are used by Cyjax

Cyjax uses Google Analytics software to help us improve the usability of our website. The type of information gathered relates to the amount of time spent on the website and the pages visited. No personal information is held and cookies cannot be used to identify you.

When you view our website for the first time from a new device you will see the following message pop up:

To optimise your experience cookie settings on the website are set to allow all cookies. By continuing your journey throughout the website you consent to this.

In order to consent you are required to click the 'Accept' button.

Cookies are used to improve services for you, for example:

Cookies are stored in the computer's memory only during your browsing session and are automatically deleted from your computer when the browser is closed.

These cookies usually store a session ID that is not personally identifiable to users, allowing you to move from page to page without having to log-in repeatedly.

Session cookies are never written on the hard drive and they do not collect any information from your computer. Session cookies expire at the end of your browser session and become no longer accessible after the session has been inactive for a specified length of time, usually 20 minutes.

Our use of third party Cookies

As mentioned above we only collect Google Analytics cookies.

Google Analytics

Cookie Name: _utma
Typical content: randomly generated number
Cookie Expires: 2 years

Cookie Name: _utmb
Typical content: randomly generated number
Cookie Expires: 30 minutes

Name: _utmc
Typical content: randomly generated number
Expires: when user exits browser

Cookie Name: _utmz
Typical content: randomly generated number and information about how the page was reached (eg directly or via a link, organic search or paid search)
Cookie Expires: 6 months

Cookie Name: __utmmobile
Typical content: randomly generated number
Cookie Expires: 2 years

For further details on the cookies set by Google Analytics, see the link below.

Cookies set by Google Analytics

How to opt out of cookies

Our website works better with cookies enabled. Our cookies do not give us or anyone else access to your personal data. We advise you to keep cookies enabled. However, you can choose to reject cookies.

You can use your browser to delete and reject cookies. Please see the links below for instructions on how to delete cookies and how to control cookies.

Disclaimer

As far as is reasonably possible, Cyjax will ensure that information provided on this website is accurate. We cannot accept any liability whatsoever for omission or error. Equally, as we regularly virus check materials, we cannot accept any responsibility for any disruption or damage that may occur during use of this website.

For information on the Data Protection Act 1998, the Privacy and Electronic Communications (EC Directive) Regulations 2003, General Data Protection Regulation (GDPR) and the Information Commissioner’s Office, please follow this link: https://ico.org.uk/.