Privacy and Cookie Policy
Last updated: September 08, 2024
This Privacy and Cookie Policy explains how CYBERCYTE LTD. (“we”, “us”, “our”) collects, uses, shares, and protects personal information obtained from users of our website https://cybercyte.com and related services. It applies to visitors and users in the United Kingdom, United States, and elsewher
2. Information We Collect
We may collect the following types of personal information:
Information about your use of our Products and Services (such as module statistics, active licenses used).
3. Personal Data Processed Within CyberCyte Platform
Some policies (e.g. Browser History, Active Directory User Analysis) can collect and analyse personal information for the end-users to detect any malicious activity within the SOFTWARE PRODUCT. When such policies are enabled, the SOFTWARE PRODUCT notifies the administrator before enabling it. By enabling these policies, YOU accept that the platform will collect this information. CYBERCYTE LTD. does not use or process this information for any commercial purpose and the collected information stays within the private instance created within the SOFTWARE PRODUCT. The end-users are responsible for deciding on collecting information, including personal information.
4. How Is This Data Used?
The data we receive is only processed to provide the requested security services. We do not collect any data that is not explicitly needed to provide such services nor share the collected information with any third party.
5. Threat Intelligence and Generative AI Data Processing
CYBERCYTE LTD. anonymously communicates with threat intelligence and Generative AI Data platforms by masking the request’s source. CYBERCYTE LTD. performs masking with the best effort to hide information, which could include personal information. Additionally, CYBERCYTE LTD. does not track the source of requests from YOU. CYBERCYTE LTD. provides information on what data is enriched through Threat Intelligence and Generative AI within the product documentation accessible from https://docs.cloudcyte.com
6. Data Sharing
We do not share your data with any third party. However, our service providers may disclose any information to provide certain services for our Products and Services to function, including data hosting, technical support, troubleshooting, etc.
7. Data Termination
When you request your account be deleted, all information stored in your account is deleted from our online systems. However, it may not be possible to delete the data from the backup copies. The backup copies are automatically deleted based on the retention period for the backups taken.
8. Legal Bases for Processing (UK)
For users in the UK, we process personal data on the following legal bases:
– Consent
– Performance of a contract
– Compliance with a legal obligation
– Legitimate interests
9. How We Use Collected Information
We use the information we collect to:
– Provide and improve our services
– Communicate with users
– Process payments
– Analyze usage of our website/app
– Personalize content and advertising
– Comply with legal obligations
10.Sharing of Information
We may share personal information with:
– Law enforcement, when required
We do not sell personal information as defined under the CCPA.
11.User Rights and Choices
Under the UK GDPR, users accessing CYBERCYTE LTD. services have the right to:
– Access your personal data
– Rectify inaccurate data
– Erase your data (“right to be forgotten”)
– Restrict processing
– Data portability
– Object to processing
– Not be subject to automated decision-making
– Know what personal information is collected, used, shared, or sold
– Delete personal information held by businesses
– Adjusting your browser settings for cookies
– Contacting us using the information.
12.Data Retention
We retain personal information for as long as necessary to fulfil the purposes outlined in this policy unless a longer retention period is required by law.
13.Data Security
We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction.
14.International Data Transfers
We may transfer personal information to countries outside your home country. For UK users, we ensure appropriate safeguards are in place as the UK GDPR requires.
15.Children’s Privacy
Our services are not intended for children under 13 (16 in the UK). We do not knowingly collect personal information from children under these ages.
16.Changes to This Policy
We may update this policy from time to time. We will notify users of any material changes by posting the new policy on this page and updating the “Last updated” date.
17.Contact Us
If YOU have any questions about this policy or wish to exercise your data protection rights, please contact us at:
CYBERCYTE LTD.
Davidson House, Forbury Square, King’s Rd, Reading RG1 3EU, England Registered in England and Wales Company Number 1825490
Tel: +44 118 9001422
e-mail: legal@cybercyte.com
For UK users: YOU have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
18.Cookies and Similar Technologies
We use cookies and similar tracking technologies to:
– Remember user preferences
– Understand how users interact with our site
– Analyze site traffic and usage
– Provide personalized advertising
CYBERCYTE platform users can manage cookie preferences through your browser settings or our cookie management tool.
This template provides a foundation that addresses key requirements for both UK and US privacy laws. However, privacy laws are complex and evolving, so it’s advisable to consult with a legal professional to ensure full compliance with all applicable regulations in the jurisdictions where YOU operate.
Here’s a two-page template for a Handling and Access Policy that incorporates elements from both UK and US law:
## Handling and Access Policy
Last updated: [DATE]
### 1. Introduction
This Handling and Access Policy outlines the procedures and guidelines for managing, accessing, and protecting sensitive information within [COMPANY NAME]. It is designed to comply with relevant UK and US data protection laws, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable US federal and state laws.
### 2. Scope
This policy applies to all employees, contractors, consultants, temporary workers, and other personnel working on behalf of [COMPANY NAME], regardless of their location. It covers all forms of sensitive information, including but not limited to:
– Personal data
– Financial information
– Intellectual property
– Trade secrets
– Confidential business information
### 3. Data Classification
All information shall be classified into one of the following categories:
– Public: Information that can be freely shared
– Internal: Information for internal use only
– Confidential: Sensitive information requiring strict controls
– Restricted: Highly sensitive information with the strictest access controls
### 4. Access Control Principles
4.1 Least Privilege: Users shall be granted the minimum level of access necessary to perform their job functions.
4.2 Need-to-Know: Access to sensitive information shall be granted only to individuals who require it for legitimate business purposes.
4.3 Separation of Duties: Critical tasks shall be divided among multiple individuals to prevent conflicts of interest and reduce the risk of fraud or error.
### 5. Access Request and Authorization
5.1 All access requests must be submitted through the designated Access Request Form.
5.2 Requests must be approved by the immediate supervisor and the relevant data owner.
5.3 The IT department shall implement approved access rights within 48 hours of authorization.
### 6. Authentication
6.1 Multi-factor authentication (MFA) is required for all accounts accessing sensitive information.
6.2 Passwords must meet the following criteria:
– Minimum 12 characters
– Combination of uppercase, lowercase, numbers, and special characters
– Changed every 90 days
– Not reused within 12 months
### 7. Monitoring and Auditing
7.1 All access to sensitive information shall be logged and monitored.
7.2 Regular audits of access rights shall be conducted at least quarterly.
7.3 Any suspicious activity must be reported immediately to the Information Security team.
### 8. Data Handling Procedures
8.1 Encryption: All sensitive data must be encrypted both in transit and at rest using industry-standard encryption protocols.
8.2 Data Transfer: Secure file transfer protocols must be used when transmitting sensitive information.
8.3 Physical Security: Hard copies of sensitive information must be stored in locked cabinets and shredded when no longer needed.
8.4 Remote Access: VPN must be used when accessing sensitive information remotely.
### 9. Incident Response
9.1 Any suspected data breach or unauthorized access must be reported immediately to the Incident Response Team.
9.2 The Incident Response Plan shall be activated in the event of a confirmed breach.
9.3 All relevant authorities shall be notified as required by UK and US laws, including the Information Commissioner’s Office (ICO) in the UK and applicable state attorneys general in the US.
### 10. Employee Responsibilities
10.1 All employees must complete annual security awareness training.
10.2 Employees must sign a confidentiality EULA upon hiring and annually thereafter.
10.3 Employees must report any suspected policy violations or security incidents.
### 11. Third-Party Access
11.1 Third-party vendors must undergo a security assessment before being granted access to sensitive information.
11.2 All third-party access must be governed by a written EULA that includes confidentiality and data protection clauses.
11.3 Third-party access shall be regularly reviewed and terminated when no longer necessary.
### 12. Compliance with UK and US Laws
12.1 UK GDPR and Data Protection Act 2018:
– Data subject rights shall be honored as required by law.
– Data Protection Impact Assessments (DPIAs) shall be conducted for high-risk processing activities.
– A Data Protection Officer (DPO) shall be appointed to oversee compliance.
12.2 US State Laws (e.g., CCPA, CPRA):
– Consumer rights, including the right to access, delete, and opt-out of data sales, shall be honored as required by applicable state laws.
– Privacy notices shall be provided as required by state laws.
12.3 Industry-Specific Regulations:
– Additional measures shall be implemented to comply with industry-specific regulations such as HIPAA, FERPA, or GLBA, as applicable.
### 13. Policy Review and Updates
13.1 This policy shall be reviewed annually and updated as necessary to reflect changes in laws, technology, or business practices.
13.2 All employees shall be notified of policy updates and required to acknowledge their understanding and compliance.
### 14. Enforcement
14.1 Violations of this policy may result in disciplinary action, up to and including termination of employment or contract.
14.2 Legal action may be pursued for serious violations that result in data breaches or other harm to the company.
### 15. Contact Information
For questions or concerns regarding this policy, please contact:
[CONTACT NAME]
Data Protection Officer
[EMAIL]
[PHONE]
By implementing this Handling and Access Policy, [COMPANY NAME] demonstrates its commitment to protecting sensitive information and complying with relevant UK and US data protection laws. All personnel are expected to familiarize themselves with this policy and adhere to its guidelines in their daily work.
Citations:
[1] https://heimdalsecurity.com/blog/access-control-policy-template/
[2] https://www.trio.so/blog/access-control-policy-template/
[3] https://sath.com/blog/access-control-policy-template
[4] https://nordlayer.com/learn/access-control/policy-and-template/
[5] https://s3-us-west-2.amazonaws.com/g3ctoolkit.net/ia/SecPol/wmspDownloads/IT_Access_Policy.doc
[6] https://www.keka.com/access-control-policy
[7] https://www.ionos.co.uk/digitalguide/websites/digital-law/gain-users-confidence-with-a-privacy-policy/
[8] https://www.termsfeed.com/blog/sample-privacy-policy-template/