The following statement explains how and when Cyjax Limited (“Cyjax”) uses your personal information.
This policy covers the use of personal information that Cyjax collects when you visit this website and blog.
Cyjax is a Cyber Threat Intelligence company. The purpose of our service is to collect publicly available information from varying sources, enabling us to provide consultancy and advisory services to clients about the risks they face, and to ensure their critical assets are secured.
We do this through a host of technologies designed to perform both automated and manual sourcing of threat intelligence information, alongside advanced analytical features that enable business entities to conduct analysis and generate outputs in the form of alerts, reports or data feeds.
Cyjax also provides incident response capabilities. Using our advanced, ever-evolving technology and expert consultancy, we can assist in rapidly identifying and mitigating incidents, as well as in ensuring legal and regulatory compliance is met.
Cyjax is dedicated to ensuring that all personal data is handled, stored and processed in compliance with statutory and regulatory requirements.
Statutory and Regulatory Requirements
Cyjax is ISO 27001-certified, demonstrating that it has implemented industry-recognised standards to ensure that data is protected. We store and process all information in compliance with the General Data Protection Regulation (GDPR); however, we also recognise and adhere to standards and laws in both the UK and in other countries including, but not exclusively:
- The Companies Act 2006 (UK)
- Privacy and Electronic Communications (EC Directive) Regulations 2003
- The Data Protection Act 2018 (UK)
- HIPAA – The Health Insurance Portability and Accountability Act (USA)
- US-EU Privacy Shield
- The California Consumer Privacy Act (CCPA) (takes effect 1 January, 2020)
We undertake always to adhere to the highest global standards of storing and processing information.
Cyjax is registered with the United Kingdom Information Commissioner’s Office (ICO) under reference ZA053004, as required by UK legislation.
We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this Privacy Notice. If you have any queries about it, including any requests to exercise your legal rights, please email our Data Protection Officer at firstname.lastname@example.org
2) What information do we collect?
Website and blog
You may be asked to submit personal information about yourself (e.g. name and email address) in order to contact us. When entering your details in the fields requested, you will be asked to select how we may contact you, thereby giving Cyjax consent to provide you with the information you require, by the method of your choice. Whenever you submit such personal information, we will treat it in accordance with this policy, and when using it, we will act in accordance with current legislation.
If you provide us with the email address of a third party, we understand that you have permission to use it.
When you supply any personal information to us, we have legal obligations towards you in the way we use this data. We must collect the information fairly: that is, we must explain how we will use it and tell you if we want to pass it on to anyone else.
Any information you provide to Cyjax, or Cyjax collects, will only be used within Cyjax. It will not be shared with any third parties for commercial gain, marketing purposes, or sold.
The only instance in which we would share this information is where we are obliged or permitted to by law, or consent has been given.
If Cyjax becomes involved in a merger or acquisition or decides to sell some of its assets, which may include information assets, we will ensure the confidentiality of your data.
Storage and security
Cyjax is dedicated to ensuring that all information is protected against unauthorised access, processed appropriately, and held securely in accordance with the General Data Protection Regulation (GDPR).
We are ISO 27001-certified, thereby demonstrating that we have the appropriate Information Security Management Framework in place to ensure that all our information assets and networks are secure. We review our data collection, storage and processing procedures regularly at the Information Management Security Forum to ensure we are adhering to our Privacy Policies, maintaining the confidentiality and integrity of information, and continuing to maintain a lawful basis for processing this information in accordance with Article 6 of GDPR. These principles can be viewed here.
We store our information on dedicated servers in an N+2 facility that operates a strict physical access policy and maintains logical separation controls ensuring the confidentiality and integrity of Cyjax information. The data center has a second N+2 facility in a different geographical location that provides failover services to ensure availability of the information is maintained.
We will make every practicable effort to store and process your information in the European Economic Area (EEA). However, some of our third-party suppliers’ storage facilities may be based outside the EEA, so there may be instances in which data is stored and transferred outside of the EEA.
Whenever we transfer information outside of the EEA, we will protect it by ensuring that:
- The country or relevant territory it is transferred to has an adequate level of protection as recognised by the European Commission
- If the supplier is based in the US, they are part of the Privacy Shield programme which requires them to provide similar protection to personal data shared between Europe and the US
- The third-party supplier has met our data security standards, and is compliant with our Information Management Security Framework
- We use specific contracts approved by the European Commission which give your personal information the same protection it has as if it stayed in the EEA.
All communication and data is secured using end-to-end encryption.
We store the information we collect in adherence with defined retention periods that are regularly reviewed.
4) Legal bases of data processing
We will always ensure that whenever personal data is processed, industry standards and legal requirements are maintained.
Cyjax maintains pipeline information for direct marketing purposes. Where consent has been given, Cyjax processes this information and sends you marketing emails with a legitimate business interest to promote our business. A Legitimate Interest Assessment has been carried out in respect of this processing activity.
Every email we send to you for marketing purposes will also contain instructions on how to unsubscribe from receiving them.
This personal data is collected in a number of ways:
- Conferences, trade shows and exhibitions
- Individuals expressing an interest in our service
- Google AdWords
The first two require the individual or company to provide an email address, name of the individual and company, and in some instances, a contact telephone number.
Cyjax has a Legitimate Interest in processing this data, which includes the following reasons:
- To enable Cyjax to enhance and maintain our service
- Pursue business and commercial leads
- To identify and prevent fraud and crime
- To understand how people interact with our website and our service
A Legitimate Interest Assessment (LIA) has been completed and is reviewed annually. Cyjax considers that the processing of this personal data can be reasonably expected due to the consent given, and is proportionate to both Cyjax’s business interest and the expressed interest of the individual.
If you have completed an online contact form and opted in to receive marketing communications from us or requested a demo, we will handle your personal information in line with any preferences you have told us about.
We also collect personal information so that we can communicate new developments to our customers and to those people who have subscribed to mailing lists or expressed an interest in our service. If at any time you do not wish to receive these kinds of communications, please use the unsubscribe link provided in all our emails or contact us on email@example.com.
Internet Log Information
What is an IP address?
Internet Protocol (IP) addresses are unique identifiers used to facilitate actions on the internet by being assigned to individual devices, websites and anything connected to the internet. Under GDPR, ‘Personal Data’ refers to “any information relating to an identified/identifiable natural person” which includes IP addresses.
We have a legitimate business interest to collect IP addresses and store them for 30 days for the following reasons:
- To collect statistics of website usage
- To understand user behaviour on the website
- To protect our systems and detect unauthorised access
- In instances of trouble-shooting, IP logs can help resolve the issue
In no instances will these records be used to identify you.
If you sign up for one of our services, your data will be used in order to fulfil the contract we have with you. We only use Personal Information provided by business contacts for the purpose for which it was collected.
The processing of personal information that our customers have supplied to us is necessary to meet the terms of our contracts, and therefore our customers have given their consent.
Generally, if our security platform captures any personal identifiable information (PII) about you, it will include the following: name and email address. Occasionally this information may also contain one or a combination of the following: work and home address, contact details, aliases and social media account details. This list is not exhaustive.
We process your information for these reasons because we have a Legitimate Interest in providing a comprehensive service to our customers and it is necessary to fulfil our official function.
Part of the eDiscovery investigation service is to process information that may have been compromised. As such our customers will provide us with the information “Client Data” to process in order to identify those individuals who may have had their data unlawfully accessed. This often contains personally identifiable information and at times, special category data.
When processing this information, our customer is the Data Controller under GDPR for any Client Data containing Personal Information, meaning that such party controls the manner in which the information is collected and used, as well as the determination of the purposes and means of the processing of such Personal Information.
Cyjax is not responsible for the content of the Personal Information contained in the Client Data or other information, nor are we responsible for the way the customer or subscriber collects, handles disclosure, distributes or otherwise processes such information.
Cyjax has completed a Data Protection Impact Assessment of all data processing activities it undertakes as required by the GDPR, to ensure that it has legal bases for processing the information and it is necessary and proportionate.
Cyjax reviews data retention periods regularly.
Everyone has the right to object to this processing and if you wish to do so, please see the section below titled “Your rights in relation to personal data”
5) Your rights in relation to personal data
Under data protection laws in the European Union and the UK, you have certain rights in relation to your personal information.
You have the right to:
- Request information about how your personal data is processed, and to request a copy of that personal data
- Request that any inaccuracies in your personal data are rectified without delay
- Request that any incomplete personal data is completed, including by means of a supplementary statement
- Request that your personal data is erased if there is no longer a justification for it to be processed
- In certain circumstances (for example, where accuracy is contested) request that the processing of your personal data is restricted
- Object to the processing of your personal data
- Withdraw your consent at any time by contacting firstname.lastname@example.org
A full list of your rights under the General Data Protection Regulation (GDPR) is available on the Information Commissioner’s Office (ICO) website.
We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal information involved, there may be legal reasons why we cannot grant your request. If this is the case, we will write to you to explain the reasons why.
Access to your personal information
In order to exercise your right to request a copy of the personal information Cyjax holds about you, you can submit a Subject Access Request (SAR).
Requests for SARs will be acknowledged within three working days, with the final response and disclosure of information (subject to exemptions) within 30 calendar days. If you wish to request a SAR, please contact us at email@example.com.
Rectifying, restricting, objecting or erasure of your personal information
To exercise your right to rectify, restrict, object or erase the personal information Cyjax holds about you, please contact us at firstname.lastname@example.org.
A ‘cease processing request’ from an individual will be acknowledged immediately with an automatic email response stating that Cyjax intends to comply with the request.
For information on the Privacy and Electronic Communications (EC Directive) Regulations 2003, General Data Protection Regulation (GDPR), Data Protection Act 2018 and the Information Commissioner’s Office, please follow this link: https://ico.org.uk/.
How cookies are used by Cyjax
Cyjax uses Google Analytics software to help us improve the usability of our website.
The type of information gathered relates to the amount of time spent on the website and the pages visited. No personal information is held and cookies cannot be used to identify you.
When you view our website for the first time from a new device, you will see the following message pop up:
In order to consent you are required to click the ‘Accept’ button.
Cookies are used to improve services for you. For example by:
- Enabling a service to recognise your device so you do not have to give the same information several times during one task
- Measuring how many people are using services to make them easier to use and to ensure there is enough capacity for them to function quickly
- Analysing data to help us understand how you use our services so we can improve them
Cookies are stored in the computer’s memory only during your browsing session and are automatically deleted from your computer when the browser is closed.
These cookies usually store a session ID that is not personally identifiable to users, allowing you to move from page to page without having to log in repeatedly.
Session cookies are never written on the hard drive and they do not collect any information from your computer. Session cookies expire at the end of your browser session and are no longer accessible after the session has been inactive for a specified length of time, usually 20 minutes.
As mentioned above we only collect Google Analytics cookies. For example:
Cookie Name: _utma
Typical content: randomly generated number
Cookie Expires: 2 years
Cookie Name: _utmb
Typical content: randomly generated number
Cookie Expires: 30 minutes
Typical content: randomly generated number
Expires: when user exits browser
Cookie Name: _utmz
Typical content: randomly generated number and information about how the page was reached (eg directly or via a link, organic search or paid search)
Cookie Expires: 6 months
Cookie Name: __utmmobile
Typical content: randomly generated number
Cookie Expires: 2 years
For further details on the cookies set by Google Analytics, see the link below.
How to opt out of cookies
Our website works better with cookies enabled. Our cookies do not give us or anyone else access to your personal data. We advise you to keep cookies enabled. However, you can choose to reject them.
As far as is reasonably possible, Cyjax will ensure that information provided on this website is accurate. We cannot accept any liability whatsoever for omission or error. Equally, as we regularly virus-check materials, we cannot accept any responsibility for any disruption or damage that may occur during use of this website.
7) How to contact us