Last updated 14/03/2023
This policy covers the use of personal information that CYJAX collects when you visit this website and blog.
2. Who we are
CYJAX is a Digital Threat Intelligence company that provides businesses with Threat Intelligence and alerting. We collect publicly available information from varying sources, enabling us to provide consultancy and advisory services to clients about the risks they face, and to ensure their critical assets are secured. We do this through technologies designed to perform both automated and manual sourcing of threat intelligence information, alongside advanced analytic features that enable business entities to conduct analysis and generate outputs in the form of alerts, reports, or data feeds.
CYJAX is dedicated to ensuring that all personal data is handled, stored, and processed in compliance with statutory and regulatory requirements.
Our registered office is: The Old Chapel, Union Way, Witney, Oxon, England, OX28 6HD
CYJAX is registered with the United Kingdom Information Commissioner’s Office (ICO) under reference ZA053004, as required by UK (United Kingdom) legislation.
2.1. EU (European Union) Representative
3. Collection of Personal data
We collect personal data from you for one or more of the following purposes:
- To fulfil a contract that we have entered into with you or with the entity that you represent. In these circumstances it may be your entity, rather than yourself, that has provided us with your personal data.
- To provide you with information that you have requested or that we think may be relevant to a subject you have demonstrated an interest.
- To initiate a contract and/ or commercial transaction with you or the entity you represent for the purchase of one of our products.
- To ensure the security and safe operation of our websites and underlying business infrastructure and understand visitors’ usage of our website.
- To manage any communication between you and us.
As a visitor, you do not need to submit any personal information to use our website. Certain areas of the site allow you to provide us with personal information for purposes such as communicating with us, gaining access to view protected and secured content, or requesting communications about specific areas of interest.
3.1. Technical information
To ensure that each visitor to any of our websites can use and navigate the site effectively, we collect the following:
- Technical information, including the IP (Internet Protocol) address used to connect your device to the Internet.
- Your login information, browser type and version, time zone setting, browser plug-in types and versions.
- Operating system and platform.
- Information about your visit, including the URL (Uniform Resource Locators) clickstream to, through, and from our site.
In section 8 below, we identify your rights in respect of the personal data that we collect and describe how you can exercise those rights.
4. Lawful basis for processing personal data
When you supply any personal information to us, we have legal obligations towards you in the way we use it. We will always ensure that whenever personal data processed, industry standards and legal requirements are maintained.
The table below describes the various forms of personal data we collect and the lawful basis for processing this data. We have processes in place to make sure that only those people in our organisation who need to access your data can do so. Several data elements are collected for multiple purposes, as the table below shows.
When we process data on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:
The purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights, or freedoms?
|Purpose for collection||Data collected||Reason for collection||Information category||Lawful basis for processing||Data shared with||Retention period|
Threat Intelligence Service Provision
|Name, company name, job title and email address||To create and provide access to the Digital Threat Intelligence Platform||User credentials||Contractual Performance||Internally and Business entity you are a member of||1 month following end of contract|
|Prevent & mitigate cyber threats||*Name, telephone, address/location, and email addresses, contact details, aliases, social media accounts, financial information e.g. credit card information, photographs, DOB||* To provide Threat Intelligence services to clients to enable risk management to their business and potentially fraudulent activity||Personal data – Open source on internet and dark net||Contractual Performance, Public interest & Legitimate Interests||Internally and with clients||3 years|
|Transactional/invoice Information||Name, and physical business: address, email address, telephone number, bank account & details / payment information||To process payments and associated documentation for the Services provided to your organisation and to ensure any issues can be dealt with. For accounting, VAT and taxation purposes should any contractual legal claim arise||Transaction/ invoice details||Contractual performance
|Internally & Professional advisors||7 Years|
|Security||Technical informationIP addresses, login information (where applicable),||To protect our websites and infrastructure from attacks and threats. To understand user behaviour on the website. To enable trouble shooting. To collect statistics of website usage||Security information||Legitimate interest||Internally||12 months|
|Communications and account servicing||Names, contact details||To communicate with you regarding the service and new products.||Personal data -Contact information||Contractual Performance||Internally and CRM provider||3 years following end of contract|
|Marketing and sales||Name, contact details||To communicate with you regarding our services and provide articles that we believe will be of interest with you||Personal data – Contact information||Legitimate Interest||Internally and CRM provider||2 years|
*We collect open-source information published on the internet and darknet in order to supply our clients with threat intelligence services. As part of this we may capture any information relating to individuals which has been made publicly available. However, we do not specifically target the collection of information relating to members of the public. The processing of this information enables our clients to be:
- Aware of vulnerabilities or exploits targeting them, ensuring they keep their networks secure
- Aware of data breaches either directly impacting them or third parties
- Protecting their critical assets
- Preventing PII-enabled attacks against them or their customers
- Aware of exposure of employee, or customer information
- Aware of direct threats to them or third parties
Due to the volume of data CYJAX is collecting for this purpose, we rely on exemptions in Articles 14 a) and b) of the General Data Protection Regulation (GDPR) as it cannot feasibly be verified whether individuals are already aware that their personal data has been exposed, and it would involve a disproportionate effort to notify them and ask their consent for storing this data. CYJAX’s processing of this data does minimise the threat to them and potentially mitigate against PII-related attacks that could be carried out against them.
4.1. Policy for handling marketing emails
If you have expressed an interest in CYJAX’s services, we will store your information in our system for email marketing and we will send you information which we believe will be of interest to you:
- Your information will not be sold, leased or otherwise made available to another company for their marketing purposes.
- All emails will be sent with technology that will not make your email address visible to other subscribers
- All emails you receive from us will contain a link where you can unsubscribe from any further contact. If you use this system, your personal data will be deleted from the system for email marketing, and we will stop processing this data for marketing purposes.
4.2. Further information
CYJAX has completed a Data Protection Impact Assessment of all data processing activities it undertakes as required by Article 35 of the GDPR, to ensure both that it has legal bases for processing the information, and that this is necessary and proportionate.
Everyone has the right to object to this processing and if you wish to do so, please see the section below titled “Your rights in relation to personal data”.
CYJAX is dedicated to ensuring that all information is protected against unauthorised access, processed appropriately, and held securely in accordance with the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Our ISMS (information security management system) is certified to ISO/IEC 27001 demonstrating that we have the appropriate Framework in place to ensure that all our information assets and networks are secure.
All communications and data are secured using end-to-end encryption.
We will make every practical effort to store and process your information in the country in which it was submitted. However, some of our third-party suppliers may be based outside the UK and European Economic Area (EEA), so there may be instances when data is stored and transferred outside the UK or EEA. In the eventuality that data is transferred outside these areas, we have the following safeguards in place:
- The country or relevant territory has an adequate level of protection as recognised by the Commission.
- Specific contracts approved by the appropriate Commission which give your personal information the same protection it has as if it stayed in the UK or EEA along with effective data controls.
- The third-party supplier has met our data security standards and is compliant with our information management security framework.
- All data is encrypted both in transit, end-to-end and at rest.
- Data is stored within defined retention periods and is regularly reviewed.
6.1. Third parties
We may disclose information to our carefully selected third parties to provide elements of our services and management of these services, such as hosting, invoicing system administration, file management. If the third-party processes data on our behalf, we will ensure that the processor only has the information they require to perform their specific service, and is only entitled to process personal data to our specific instructions.
If we need to transfer your personal information to another organisation for processing in countries that are not located in the United Kingdom, European Economic Area or listed as ‘adequate’ by the Information Commissioners Office, we will only do so if we have sufficient protections in place to safeguard information, including, where appropriate, contractual terms approved by the relevant regulatory authorities.
We periodically appoint agents to conduct lead generating and marketing activities on our behalf. Such activity may result in the processing of personal information where we believe we have a legitimate interest in marketing our goods and services to existing customers and those who have expressed an interest in our services.
Our appointed agent:
Any information you provide to CYJAX, or that CYJAX collects, will only be used within CYJAX. It will not be shared with any third parties for commercial gain or sold.
The only other instances in which we would share this information is where we are obliged or permitted to by law, or consent has been given.
8. Your rights in relation to personal data
Under data protection laws in the European Union and the UK, you have certain rights in relation to your personal information. You have the right:
- to be informed about the collection and the use of their personal data
- to access personal data and supplementary information
- to have inaccurate personal data rectified, or completed if it is incomplete
- to erasure (to be forgotten) in certain circumstances
- to restrict processing in certain circumstances
- to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
- to cease/object to processing in certain circumstances
- rights in relation to automated decision making and profiling
- to complain to the Information Commissioner
We will handle all requests in accordance with applicable law. However, depending on the right you wish to exercise, and the nature of the personal information involved, there may be legal reasons why we cannot grant your request. If this is the case, we will write to you to explain the reasons why.
9. Access to your personal information
Requests will be acknowledged within three working days, with the final response and disclosure of information (subject to exemptions) within 30 calendar days.
10. Rectifying, restricting, objecting to processing of, or erasure of your personal information
A ‘cease processing request’ from an individual will be acknowledged immediately with an automatic email response stating that CYJAX intends to comply with the request.
As far as is possible, CYJAX will ensure that information provided on this website is accurate. We cannot accept any liability whatsoever for omission or error. Equally, as we regularly virus-check materials, we cannot accept any responsibility for any disruption or damage that may occur during use of this website.
Links to other websites included on this website do not imply any endorsement, validation, or responsibility by CYJAX as to the content or privacy policies of such sites. We cannot guarantee that these links will work all the time and we have no control over the availability of the linked pages.