Last Updated: November 26, 2018
Read this Policy and make sure you fully understand our practices in relation to privacy and protection of Personal Data, before you access or use the Website, and/or our Services. If you have further questions or concerns regarding this Policy please contact us at: email@example.com.
(* All capitalized terms shall have the meaning as defined below)
"Applicable Laws" shall mean EU Privacy Laws and Israeli Data Protection Legislation, to the extent applicable to CyCognito, and any other applicable privacy or other law to which CyCognito is subject.
"EEA" shall mean the European Economic Area.
"EU Privacy Laws" shall mean the GDPR and/or European Union Member State laws, rules and guidelines implementing or supplementing the GDPR.
"GDPR" shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), and as amended, replaced or superseded from time to time.
"Israeli Data Protection Legislation" shall mean the Israeli Privacy Protection Law 5741 - 1981 ("PPL"), the regulations promulgated pursuant thereto and the applicable guidelines issued by the Israeli Privacy Protection Authority, and as amended, replaced or superseded from time to time.
"Personal Data" shall have the meaning ascribed to it in the GDPR and shall also include the terms “Information” and “Sensitive Information” as defined under the PPL. To put it simply, this information may identify an individual or is of a private and/or sensitive nature, such as an individual’s name, address or bank account information.
"Non Personal Data" shall mean information that does not personally identify a natural person and does not reveal a natural person’s specific identity, such as anonymized information.
The Terms "Client", "Client IT Systems", "Services" and "Website" shall have the same meaning as ascribed to them CyCognito's Terms of Service which can be accessed at this link: Terms of Service.
"Visitor" shall mean a visitor of our Website whose Personal Data CyCognito processes in the capacity of a Controller.
"User" shall mean an individual who is registered to the Services, has access to and makes use of the Services (whether during a trial period for testing the Services or under a contract with CyCognito); and whose Personal Data CyCognito processes in the capacity of a Controller.
"Client's User" means an individual who has access to and makes use of a Client’s IT Systems; and whose Personal Data CyCognito processes in the capacity of a Processor.
"Data Subject" shall have the meaning ascribed to it in the GDPR and the PPL and shall include all types of individuals defined in this Policy such as a Visitor and a User.
"Controller" shall have the meaning ascribed to it in the GDPR and shall include the term “Database Owner” under the PPL.
"Processor" shall have the meaning ascribed to it in the GDPR and shall include the term “Database Holder” under the PPL.
"Subprocessor" shall mean any entity appointed by us or by one of our Processors/Subprocessors, to Process Personal Data on our behalf or on behalf of that Processor/Subprocessor; excluding any employee of CyCognito or of CyCognito’s Processor/Subprocessor or of any such appointed person but including any contractor or affiliate of the foregoing.
"Database Owner", "Database Holder", "Database", "Database Manager", and "Information Security Event" shall have the meanings ascribed to them in the Israeli Data Protection Legislation.
The terms "Processing", "Supervisory Authority" and "European Commission" shall have the meaning ascribed to them in the GDPR.
"Personal Data Breach" shall mean a breach of security or other incident leading to the accidental or unlawful destruction, loss, alteration, the unauthorized disclosure or use of, or access to, or harm to the integrity of, Personal Data transmitted, stored or otherwise Processed, as defined in the GDPR and shall also include all types of Information Security Events detailed in Israeli Data Protection Legislation. "Business Contact" means an employee, contractor or any other individual affiliated with and authorized by a potential Client or a Client to inquire for information regarding our Services and/or to engage us for the provision of our Services.
This Policy was originally written in English. If you are reading a translation and it conflicts with the English version, please note that the English version prevails.
THE TYPES OF PERSONAL DATA THAT WE COLLECT
PERSONAL DATA THAT DATA SUBJECTS PROVIDE TO US
If you are a Visitor to Our Website and/or a Business Contact inquiring for more information about our Services, you may provide us with Personal Data through our contact form or our company e-mail address in order for us to contact you. This Personal Data may include: your contact details such as: full name, e-mail, company phone number and/or personal phone number, position in workplace and name of workplace, company and/or personal address including city, state/region and postal code. Please do not provide further Personal Data than is required for us to contact you.
If you are a Visitor to Our Website and/or a Business Contact and you are interested in acquiring our Services, or if you are a User of our Services who is interested in registering to the Services, you may provide us with Personal Data including: the same categories as mentioned in Section 3.1(a) with respect to yourself and/or the individual/s who will be the signatory/ies to an agreement between the Client and CyCognito and/or who will manage the relationship with us.
PERSONAL DATA THAT WE COLLECT OR GENERATE
Personal Data collected on the Website:
Personal Data collected within the provision of the Services:
If you are a User of our Services, we may collect your Personal Data related to your activity on the Services. This includes (by way of a non-exhaustive list): last login, e-mail of the individual who sent you the invitation to use the Services, the date the invitation was sent, your activity on the platform upon which the Services are provided such as referring/exit pages, date/time stamps, the web page you were visiting and information you search.
When providing our Services, as part of our screening of the Client’s IT Systems in order to detect vulnerabilities to cyber attacks, we may incidentally view or collect Personal Data about Client’s Users or other Data Subjects associated with the Client’s IT Systems, such as e-mail addresses, IP addresses, etc.; for the sole purpose of delivering our Services. Where we process Personal Data of Visitors and Users, we do so as Controllers. Where we process Personal Data of Client’s Users, or other Data Subjects who’s Personal Data we may view on Clients’ IT Systems, we do so as Processors.
In addition to the categories of Personal Data described above, we will also Process further anonymized information and data that is not Processed by reference to a specific individual. We may collect this Non-Personal Data through the Website in the following ways:
Information that your browser sends ("Log Data"). This Log Data may include, but is not limited to, non-identifying information regarding the User’s device, operating system, internet browser type, screen resolution, language and keyboard settings, internet service provider, referring/exit pages, date/time stamps, the web page you were visiting, information you search, etc.
We may use automated devices and applications to evaluate usage of our Service. We use these tools to help us improve our Website, performance and user experience. We may also engage third parties to track and analyze data or provide other services on our behalf. Such third parties may combine the Non-Personal Data that we provide about you with other information that they have collected from other sources. This Policy does not cover such third parties’ use of the data and such use is governed by such third parties’ privacy policies.
Other websites and applications may also place or read cookies on your computer’s browser. Please see the Section 8 "SHARING INFORMATION WITH OTHERS" below.
HOW WE USE PERSONAL DATA
Personal Data is used for the following primary purposes (as may be updated from time to time):
To provide and operate the Website and Services;
to monitor and analyze use of the Website and Services and study and analyze the functionality of the Website and Services;
to provide on-going assistance and technical support to Clients and to maintain the Website and Services;
to provide service announcements and notices as needed for the provision of the Services; and to provide promotional messages and market our Services (it being clarified that at any time Data Subjects may choose (opt out) whether their Personal Data is to be used for sending such promotional messages and marketing materials which are not an essential part of the Website or Services);
to enforce our Terms of Service, policies and other contractual arrangements, to comply with court orders and warrants, and prevent misuse of the Website and Services, and to take any action in any legal dispute and proceeding;
to better understand Visitors’ and Users’ needs, both on an aggregated and individualized basis, in order to further develop, customize and improve our Website and Services based on the preferences, experiences and difficulties of Visitors and Users;
to communicate with and to contact Visitors and Users in order to obtain feedback regarding the Website and Services;
to disclose to third party vendors, service providers, contractors or agents as necessary for them to perform functions on our behalf with respect to the Website and Services;
to create aggregated statistical data and other aggregated and/or inferred Non-Personal Data, which we or our business partners may use to provide and improve our Website and Services; and
as otherwise authorized by Data Subjects.
We may use e-mail addresses provided to us to contact Data Subjects when necessary, including in order to send reminders or offers and to provide information and notices about the Website and Services. At any time, Data Subjects may choose (opt out) whether their Personal Data is to be used for sending such marketing materials which are not an essential part of the Website or Services. Data Subjects may exercise their choice by contacting us at: firstname.lastname@example.org.
HOW WE USE NON-PERSONAL DATA
We may use information that is Non-Personal Data for the same purposes we use Personal Data (where applicable) and in addition in order to:
compile anonymous or aggregate information;
disclose to third party vendors, service providers, contractors or agents as necessary for them to perform tasks on our behalf in connection with the Website and Services;
monitor and analyze use of the Website and Services and for the technical administration and troubleshooting of the use of the Website and Services, and
provide us with statistical data.
We may use analytics tools. These tools help us understand Visitors’ behaviour on our Website and Users’ behaviour on our Services, including by tracking page content, click/touch, movements, scrolls and keystroke activities. The privacy practices of these tools are subject to their own policies and they may use their own cookies to provide their services. For further information about cookies, please see Section 13 of this Policy. Further information about the option to opt-out of these analytics services is available at: email@example.com.
From time to time, we may use additional or alternative analytics services. We will provide a notice of these changes on our Website and Services.
We use anonymous, statistical or aggregated information, which may be based on extracts of Personal Data, for legitimate business purposes including for testing, development, improvement, control and operation of the Website and Services. We may share such information with our third party providers as necessary for them to perform functions with respect to the Website and Services. It has no effect on Data Subject’s privacy, because there is no reasonable way to extract data from the aggregated information that can be associated with a Data Subject. We will share Personal Data only subject to the terms of this Policy, or subject to Data Subject’s prior informed consent.
THE LEGAL BASIS FOR USE OF PERSONAL DATA
We will only process Personal Data of Data Subjects where we have a legal basis to do so. The legal basis will depend on the purposes for which we received and/or collected and need to use the Personal Data. In almost all cases the legal basis will be:
To provide our Services under an agreement with a Client.
To fulfill a legitimate interest that we have as a business.
Because a Data Subject consented to us using its Personal Data for a particular purpose.
More information on each legal basis is provided below.
Processing the Personal Data is required for fulfilling our or a third party’s legitimate interests, for example:
we collect information about use of our Website and Services in order to identify and prevent its abuse;
we use Personal Data to maintain and improve our Website and/or Services by identifying Visitor and/or User trends and technical issues.
A Visitor/User has consented to the processing of its Personal Data for one or more specific purposes, for example: if a Visitor provided its details under the “Contact Us” tab in our Website we will contact that Visitor in order to provide for further information.
A User has consented to the processing of its Personal Data for one or more specific purposes, for example: if a User provides its details in order to register to our Services and provides consent for the usage of cookies (where such consent is required), we will track that User’s activity on our Services.
It is hereby clarified that the legal bases detailed above are the legal bases for actions to process Personal Data, carried out by us in accordance with the GDPR. If processing of Personal Data is subject to other Applicable Laws, then the legal basis for processing Personal Data may differ accordingly.
For more information, see Section 11 "YOUR RIGHTS" below.
SHARING INFORMATION WITH OTHERS
We do not sell, rent or lease Personal Data. We may share Personal Data with service providers and other third parties, if necessary to fulfil the purposes for collecting the information, such as cloud vendors, subcontractors providing us processing services, etc., provided that any such third party will commit to protect privacy of Data Subjects as required under the Applicable Laws and this Policy.
Additionally, a merger, acquisition or any other structural change may require us to transfer Personal Data to another entity, provided that the receiving entity will comply with Applicable Laws and this Policy.
SHARING INFORMATION WITH AUTHORITIES
We may need to disclose Personal Data in response to lawful requests by public authorities or law enforcement officials, including for meeting national security or law enforcement requirements. We cooperate with government and law enforcement officials to enforce and comply with the law.
TRANSFER OF DATA OUTSIDE YOUR TERRITORY
We may store, process or maintain information in various sites worldwide, including through cloud-based service providers worldwide. Where the GDPR applies and we transfer Personal Data to another country outside the EEA, we will ensure that it is protected and transferred in a manner consistent with legal requirements. In relation to Personal Data being transferred outside of the EEA, for example, this may be done in one of the following ways:
the country that we send the Personal Data to might be approved by the European Commission as offering an adequate level of protection for Personal Data (Israel is an approved country);
the recipient might have signed a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect Personal Data;
where the recipient is located in the US, it might be a certified member of the EU-US Privacy Shield scheme; or
through use of other mechanisms permitted by Applicable Laws to otherwise transfer your Personal Data outside the EEA.
Data Subjects can obtain more details of the protection given to their Personal Data when it is transferred outside the EEA (including a copy of the standard data protection clauses which we have entered into with recipients of the Personal Data) by contacting us as described the Section 19 "CONTACT US" below.
If a Data Subject is located in a jurisdiction where transfer of its Personal Data to another jurisdiction requires its consent, then the Data Subject provides us its express and unambiguous consent to such transfer or the storage, processing or maintenance of the Personal Data in other jurisdictions by using the Website and/or Services.
In all of the above cases in which we collect, use or store Personal Data, the Data Subject may have the following rights and, in most cases, the Data Subject can exercise them free of charge. At any time, Data Subjects may contact us at: firstname.lastname@example.org and request to know what Personal Data we keep about them. We will make good-faith efforts to locate the data that Data Subjects request to access.
We may retain certain information as deemed required by us in accordance with Applicable Laws, or for legitimate business reasons, for the duration as required under the Applicable Laws. In addition, we may delete any Personal Data pursuant to our policies, as in effect from time to time.
Note to our Data Subjects in the EU:
We hereby inform Visitors, Business Contacts and Users from the EU and any other EU Data Subjects whose Personal Data we may Process (in this section "You", "Your"), of the following rights (by virtue of EU Privacy Laws) with respect to the Processing of your Personal Data:
Note to our Data Subjects in Israel:
We hereby inform you of the following rights (by virtue of Israeli Data Protection Legislation) with respect to the Processing of your Personal Data:
If you are a Client’s User, we Process your Personal Data as a Processor and therefore you must refer to the Client with which you are employed or otherwise affiliated in order to exercise your rights. If you cannot get in touch with the relevant Client, you may contact us and we will make commercially reasonable efforts to assist you.
If you are a Data Subject in another jurisdiction - other rights may apply.
To exercise these rights, where applicable, please contact Our Client or, if applicable, use the appropriate functionality available on the Website or within the website dedicated to the Services or in Section 19 "CONTACT US" of this Policy.
RESPONSE TO REQUESTS
When a Data Subject asks us to exercise any of its rights under this Policy and the Applicable Laws, we may need to i) ask the Data Subject to provide us certain credentials to identify the Data Subject and to verify that the Data Subject is in fact who he/she claims to be, in order to avoid unlawful disclosure to that Data Subject of Personal Data related to others; and ii) ask the Data Subject questions to better understand the nature and scope of data that it requests to access.
We may redact from the data which we will make available to the Data Subject, any Personal Data related to others.
In this section, "You" shall mean a Visitor and/or User.
Some cookies used by the Website and/or Services are created per session, do not include any information about You, other than Your session key and are removed as Your session ends (usually after 24 hours). Other cookies remain saved to Your device’s hard drive and/or your mobile telephone device and enable us to recognize Your device in the event of a later visit to our Website and/or Services (persistent cookies). Persistent cookies allow us to make our Website and/or Services more user-friendly, effective and safe.
You can instruct your browser, by changing its options, to stop accepting cookies, to prohibit the Local Storage and/or to prompt you before accepting a cookie from the website you visit. Most devices and browsers will allow You to erase cookies from Your device’s hard drive, block acceptance of cookies, or receive a warning before a cookie is stored.
Please note that unless You block the acceptance of cookies, the Website and/or Services will utilize cookies upon Your use of the Website and/or Services (all unless it is required by Applicable Law to provide a separate consent to use such cookies, and in which case We will use such cookies only after we receive Your separate consent to such use and subject to Your right to withdraw such consent at any time).
Cookies and other Local Storage help us personalize the Website and/or Services and to:
track clicks and online activity to estimate usage pattern and perform other analytics;
gather information about Your approximate geo-location to provide localized content;
store information about Your preferences and the device or browser You are using, and thereby customize and personalize the Website and/or Services;
improve the Website and/or Services; and
prevent fraud and/or abuse of Our services.
In particular, we use Google Analytics. For more information about what Personal Data we collect through Google Analytics Cookies, please see this link.
We take the safeguarding of the Personal and Non-Personal Data very seriously, and use a variety of systems, applications and procedures to protect the Data from loss, theft, damage or unauthorized use or access when it is in our possession or control, including reasonable physical, technical and organizational measures which restrict access to the Data. These measures provide sound industry standard security. However, although we make efforts to protect privacy, we cannot guarantee that the Website will be immune from any wrongdoings, malfunctions, unlawful interceptions or access, or other kinds of abuse and misuse.
We also regularly monitor our systems for possible vulnerabilities and attacks, and regularly seek new ways for further enhancing the security of our Website and protection of our Visitors’ and Users’ privacy.
Data Subjects should take steps to protect against unauthorized access to their password, phone, and computer by, among other things, signing off after using a shared computer, choosing a robust password that nobody else knows or can easily guess, and keeping log-in and password credentials private. In addition, Data Subjects should take steps to protect against unauthorized access to Personal Data stored on their premises as well as defining limited access rights to such Personal Data on a need to know basis.
If a Data Subject receives an e-mail asking it to update its information with respect to the Website and/or Services, it should not reply and should contact us at: email@example.com.
CyCognito will comply with Applicable Laws in the event of any Personal Data Breach, and will inform Data Subjects of such Breach in accordance with Applicable Laws.
We retain different types of information for different periods, depending on the purposes for Processing the data, our legitimate business purposes as well as pursuant to legal requirements under the Applicable Law. We may retain Personal Data for as long as necessary to support the collection and the use purposes under this Policy and for other legitimate business purposes, for example, for storing data, for documentation, for cyber-security management purposes, legal proceedings and tax matters.
We may store aggregated Non-Personal Data without time limit. In any case, as long as a Data Subject uses the Website, we will keep information about that Data Subject, unless we are legally required to delete it, or if that Data Subject exercises its rights to delete the Personal Data.
OUR POLICY TOWARD CHILDREN
Our Website is not meant to be used by or for persons under 18; as such, we do not knowingly collect Personal Data from minors younger than 18. Insofar as Personal Data may be collected based on a Data Subject’s consent, the Data Subject must be above the age of 16 (or above the age of 13 if this is the legal requirement in your country). If these age requirements are not met, the Data Subject is required to obtain the consent of the parent or guardian to provide and process Personal Data in accordance with this Policy; lacking such consent, the Data Subject should not use the Website and/or Services.
If we need to adapt the Policy to legal requirements, the amended Policy will become effective immediately or as required.
A Data Subject’s continued use of the Website and/or Services following such notice shall constitute the consent of the Data Subject to any changes made and a waiver of any claim or demand in relation to such changes. If a Data Subject does not agree to the new or different terms, it should not use and is free to discontinue using the Website and/or Services (discontinuation of use of the Services is subject to any contractual obligations the Data Subject and/or Client may have towards CyCognito).
APPLICABLE LAW AND DISPUTE RESOLUTION
For further information about this Policy, please contact our Data Privacy Officer at: firstname.lastname@example.org.
We work hard to manage Personal Data responsibly. If you are unhappy about the way we do this, please contact us and we will make good-faith efforts to address your concerns. We are usually able to resolve privacy questions or concerns promptly and effectively. If you are not satisfied with the response you receive from us, you may escalate concerns to the applicable privacy regulator in your jurisdiction. Upon request, we will provide you with the contact details for that regulator.