Privacy Policy

When you deal with CyberCX you trust us with your information. We take privacy seriously and we are committed to protecting the data you provide us with.

This policy explains when and why we collect personal data about you, how this data is used. The conditions under which it may be disclosed to others, and how it is kept secure.

This policy may change from time to time so please re visit this page occasionally to ensure that you are happy with any changes

The Company (hereinafter collectively referred to as the “Company”, “us”, “we”, or “our”) complies with the UK Data Protection Act and The GDPR further the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the processing of personal data (“PII”). CyberCX has certified that it adheres to all applicable provisions of the Privacy Shield Framework, including the Privacy Principles, the Supplemental Principles and Annex 1 of the Framework. To learn more about the Privacy Shield program, and to view CyberCX’ certification please visit

Who we are?

The CyberCX group unites the most trusted cyber security companies to deliver a comprehensive cyber security capability for enterprises and governments across the UK, US and Australia. With a workforce of 600+ cyber security professionals, a footprint of more than 20 offices across the globe, CyberCX offers the ultimate end-to-end cyber security service.

How we collect data.

When we refer to personal data, we refer to information that could identify you directly, such as your name, or indirectly by a certain characteristic combined with information we already hold about you.

We may receive information about you from you or third parties. Where we receive information about you we will only use that information for the purposes we have collected the data.

You provide us with information about yourself when you visit our website, engage with us to provide consultant services, entering information via our website – opt in/providing consent. You may even provide details about yourself by communicating with us via social media, phone or email. Or you become a supplier.  We may automatically collect information about you which may observe, detect or create without directly asking you to supply this information. This information is automatically gained through the use of our website or online services. Please refer to the ‘cookies’ section.

We may collect and process information about you in the following ways:

Information received from third parties and who those third parties may be.

  • Recruitment companies, as part of the recruitment process
  • Employers may provide references about you to Cyber CX
  • Clients provide information relating to actual or potential engagement
  • Suppliers.
  • Clients.
  • CCTV

If your application for employment is successful, the information you provided during the application process will be retained by us as part of your employee file for the duration of your employment.

We may contact previous/present employers, asking them to provide a reference. If you are unsuccessful at any stage of the process, the information will be retained for 12 months following the closure of the recruitment drive.

How we use your personal data which is supplied by third parties.

We are often given contact details from current clients referring us to their clients regarding the consultation services we offer. If you do not wish us to contact you, please use the ‘’opt out’’ tab on our website, or at the bottom of the email you have received.

We are often given contact details from current suppliers with recommendations of additional suppliers. We will only retain your information if we engage with you as a supplier.

How and why we use your personal information.

We may use the information we collect about you in the following ways;

  • Where it is necessary to perform a contract with you:

We may use and process your personal data where we have supplied you or continue to supply you with any consultancy services. We will use your information in connection with the contract for the provision of the services.

We may use and process your personal data where we have supplied you (or continue to supply) you with any of our consulting services.

Where we have Legitimate Interest:

We may process your personal data where it is necessary for us to pursue our legitimate interests as a business for the following:

  • To enter into and perform the contract we have with you or your business
  • To carry out work when instructed.
  • To create a profile of you based on any preferences you have indicated to us to enable us to decide what products and services to offer to you for marketing purposes.
  • To inform you about relevant events
  • For network and Information security purposes to enable us to take steps to protect your personal data against loss or damage, theft or unauthorised access.
  • To comply with a request from you in connection with you exercising your rights under the Data Protection Act & General Data Protection Regulation

Special Categories of personal data.

We may need to use more sensitive personal data about you, we will only use this information if we have your explicit consent. Where you have provided us with explicit consent you may withdraw your consent at anytime.

Our work for you may require us to provide information to third parties who will use your information for the purposes of providing services to us or directly to you on our behalf. Such third parties may include for example payment processing, software providers and mailing services.

When we use third parties, we only supply the personal information that is required for them to perform the service. We have contracts in place with such third parties to ensure that your data is secure and protected. And that it is not to be used for any other reason.

We may transfer your personal data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation. We comply with the Privacy Shield Principles for all onward transfers of personal data, including the onward transfer liability provisions. We may also transfer your personal data if we are under a duty to disclose or share it to comply with any legal obligation, to detect or report a crime.


The Company uses a self-assessment approach to assure compliance with this privacy policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the Principles. We encourage interested persons to raise any concerns using the contact information provided below and we will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Information in accordance with the Principles.

CyberCX has further committed to cooperate with EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints.  If you do not receive timely acknowledgement of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact the EU DPAs for more information or to file a complaint.  The services of EU DPAs are provided at no cost to you.

Under certain circumstances, described fully on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Please be aware that CyberCX is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). In addition, CyberCX may, at times be requested disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Categories of individuals whose data we may collect

Categories of individuals Employees (past and present) includes permanent and contracting staff, part time full time.
Non-employee workers including volunteers, assignees, advisors, consultants, agents and other professional experts, secondments, apprentices, interns, alumni, all other third parties.
Job applicants, candidates and pre- hires.
Client contact, current and past contacts and prospects – including employees, officers’ agents’ consultants and other professional experts.
Vendor, supplier contacts.
Members of the press and other organisations. Members of charities, educational institutions, regulators, business intermediaries.
Website users and complainants, correspondents and enquirers.
Individuals attending CyberCX events.
Other third parties

Categories of data we may process

Categories of data and processing.
Personal details Name, all types of contact details: email, phone numbers; home landline place of work number, mobile numbers. Gender, date of birth, place of birth, nationality identification number, social security number internal company employee or ID numbers. Marital/civil partnership status, domestic partners, dependants, disability status, emergency contact details, such as names and phone numbers and address of listed individual. Ethnic origin. Photographic image. CCTV or other video systems. smart building controls. Metrics systems used for data analytics, driver licence number. car details. passport number. details contained in letters of application and C.V. potential background check information. eLearning and training programs. internal/external qualifications. performance and development reviews.
Personal details – clients and prospects Name, all types of contact details: email, phone numbers; home landline place of work number, mobile numbers. Contact preferences, preferred medium for communication. Marketing preferences, data relating to services provided. Relationship with CyberCX representative. data related to event, (invitation, attendance, relevant costs)
Personal details – Vendors, service providers, suppliers, payees, intermediaries. Name, all types of contact details, such as title, job title email, all categories of phone numbers, home and work address. Data related to invitations for business events. Bank details, invoicing address. Company registration numbers company VAT numbers. Any type of unique identification numbers. Details of relationship to CyberCX.
Other individuals Name, all types of contact details, such as title, job title email, all categories of phone numbers. home and work address. Contact preference. Data relating to interaction or relationship with CyberCX.
Documents required under immigration laws. Citizenship, passport data details of residency, work permit.
Compensation and payroll Remuneration details, tax codes, insurance codes, statutory and voluntary contributions, overtime and shift work. Compensation type, pay frequency, salary reviews, performance reviews, bank details credit card details. Working time records. Pay data, expense details, receipts from expenses.
Leaves of absence Annual leave requests and approvals, statutory leave (maternity and paternity) Data relating to administrative leave (suspension), illness, leave due to accident at work. Occupational health leave (in accordance with local law) Dates of all the above listings.
Pension records Monthly. Yearly pension capital sums, differed pension sums. Type of pension.
Position Description of current position, job title, corporate status, career level, job function. Legal employment entity. Location of work, employee identification number. Terms of employment contract of employment. Length of service. Promotional prospects. Disciplinary records.
Work location and relocation Work address, place of work, workplace indicator, future assignment country. Employment permits. Visa, expiry dates.
Management Records Details of any shares of common stock or directorships. Stock purchase plans purchase eligibility & contribution. Stock options and information.
Website Tools
Marketing Promoting and providing products and services to actual and potential customers, advertising marketing and PR related activities.
Accounts and records data. Data relating to vendors, service providers, suppliers’ payees and intermediaries, legal services data. Order management, including billing credit analysis, shipping account maintenance. Internal administration and accounting for all commercial relationships. Managing and analysing sales and demand, communications, business operations, customer relationship management. conducting internal audits and other internal control activities relating to a contract. management with supplier, vendors subcontractors and business partners. Due diligence for anti-corruption and antibribery purposes. Reporting activities to fulfil finance and account requirements. Risk management and corporate audits and assessments. Legal filing and reporting, purchase order and payment. Internal investigation. Computer system security, including ensuing adequate level of protection of the personal data stored therein. Other services on an ad hoc basis.
Data relating to mergers. Ventures and acquisitions. Management and employment information. Compensation and payroll details Client relationships. Compliance, due diligence. Full company reporting: finance and legal. Risk management, corporate audits. Ensuring adequate protection of data processing activities.
Purpose for which CyberCX uses the personal data. Scheduling, Recruitment. Managing and administration of employees. Employee engagement. Performance management. Professional development. Financial planning, payroll, fund management and accounting. Share plan management and operations. Business marketing and public relations. Building and managing external relationships. maintaining relationships. Planning and delivering business capabilities. Research and development. Compliance and audit purpose. Internal & external investigations, including liaisons with law enforcement and other Government organisations. Litigation management. Client, supplier and business partner management. Technology infrastructure, security and support. Travel management. Knowledge management. reporting to Supervisory Authorities. Liaising with regulators/ government departments for routine reporting. Merger and acquisitioning. Other purposes required and or permitted by law.


You will only receive direct marketing information from CyberCX if you indicate to us a preference to do so, via our ‘’Subscribe’’ option on the website. You will be invited to complete a client consent/opt in process by email because of the following:

  1. Becoming a client
  2. Your attendance at an event
  3. Providing us with a business card directly to a CyberCX employee or provided at a business event.
  4. You, registering your brief contact details to obtain information, or free downloads from our website.
  5. An email request from you to attend an event.
  6. Your attendance at an event organised or co-hosted by CyberCX that has been promoted via social media or other advertisement.

We may use and process your information where you have consented for us to do so via our consent process. This consent can be withdrawn at any time via our ‘’unsubscribe from the list’’ option.

For more information please click on ‘’privacy policy’’ to follow the link to our privacy policy. Within the footer of all company emails sent both internally and externally a link to our privacy policy can be followed.

Credit and debt card payment

When you pay for any services over the telephone/internet, your credit/debit card payment is processed by a third-party payment processor, who specialises in the secure online capture and processing of credit/debit card transactions. If you have any questions regarding secure transactions, please contact us using the details at the end of this policy

Direct Debt payments

If you set up a direct debit, your name, bank account number and sort code will be shared electronically with your bank or building society and a third-party processor in order to set up the direct debit mandate.
A copy of your direct debit mandate will also be held by CyberCX to allow us to track any payments made and will be kept in accordance with our data retention policy.
You may cancel a direct debit at any time by informing us and contacting your bank or building society.

Where we store your data

All information you provide to us for our use is stored on secure servers which are located in Australia. Using cloud service providers such as Amazon Web Services (AWS).

The third parties listed under ‘purpose for which CyberCX uses personal data’’ which process your personal data may be located outside of the EEA or they may transfer your data outside the EEA. Those countries may not have the same standards of data protection and privacy laws as the UK. Which means additional safeguards must be in place. Whenever we transfer your data outside the EEA we introduce obligations on the recipients of that data to protect your personal data to the standard that the UK expect.

How long will we retain your data for?

If we collect your personal data, the length of time for which we retain it is determined by a number of factors including the type of data, the purpose for which we use that data and our regulatory and legal obligations attached to this use. The only exception to this is where the law requires us to hold your personal data for a longer period or delete it sooner: You ask us to delete your data (if applicable).

Data Category/document type Retention period
Client folders 6+1 Year after termination of contract.
Recruitment data Up to 12 months after candidate application.
Employment Data 6 + 1 Year after leaving employment
Supplier 6 +1 year after termination of the contract.

Your Rights

You have a number of rights in relation to your personal data under data protection legislation. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, or clarification to enable us to find your personal data. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your identity; or (ii) where we do not need to do this because we already have this information, from the date we received your request.

Accessing your personal data:

You have the right to ask for a copy of the data that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your personal data if it concerns other individuals or we have another lawful reason to withhold that data. We may charge you a reasonable fee based on administrative costs if you request a copy of data we have previously provided to you or if your request is manifestly unfounded or excessive. In line with our environmental commitments, we will try to provide you with a copy of your data by electronic means where this is possible, unless you have specified otherwise in your request.

Correcting and updating your personal data:

The accuracy of your data is important to us, therefore if you change your name or address/email address, or you discover that any of the other data we hold is inaccurate or out of date, please let us know by contacting us using the details set out at the end of this policy.

Withdrawing your consent:

Where we rely on your consent as the legal basis for processing your personal data, as set out under ‘How we use your personal data’, you may withdraw your consent at any time by emailing or writing to us at the address at the end of this policy.  If you withdraw your consent, our use of your personal data before you withdraw your consent is still lawful.

Objecting to our use of your personal data:

Where we rely on our legitimate interests as the lawful basis for processing your personal data for any purpose(s), as set out under How we use your personal data, you may object to our using your personal data for these purposes by emailing or writing to us at the address at the end of this policy.

You may object to us using your personal data for direct marketing purposes and we will immediately comply with your request. Please refer to the marketing section within this policy.

You may also contest a decision made about you based on automated processing by emailing or writing to us at the address at the end of this policy.

Erasing your personal data or restricting its processing

In certain circumstances, you may ask for your personal data to be removed from our systems by emailing or writing to us at the address at the end of this policy. Please note that this right is not an absolute right. Provided we do not have any continuing lawful reason to continue processing or holding your personal data, we will make reasonable efforts to comply with your request.

You may also ask us to restrict processing your personal data where you believe our processing is unlawful, you contest its accuracy, you have objected to its use and our investigation is pending, or you require us to keep it in connection with legal proceedings.  We may only process your personal data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company.

Transferring your personal data in a structured data file:

Where we rely on your consent as the Lawful Basis for processing your personal data or need to process it in connection with your contract, as set out under How we use your personal data, you may ask us to provide you with a copy of that data in a structured data file. We will provide this to you electronically in a structured, commonly used, and machine-readable form.

You can also ask us to send your data to an alternative consultancy provider and we will do this if it is technically possible. We may not be able to provide you with a copy if your data contains information concerning someone else.

Complaining about the use of your personal data.

If you wish to complain about the way we use your personal data, you can e-mail us using the details set out at the end of this policy. If you are dissatisfied with our response to your complaint and remain concerned about the way we have processed your personal data, you have the right to complain to the Information Commissioner’s Office (ICO)  or seek to enforce your rights through a judicial remedy.


The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website and any transmission is at your own risk. Once we have received your personal data, we have in place reasonable and appropriate controls to ensure that it remains secure against accidental or unlawful destruction, loss, alteration, or unauthorised access.


Like many other websites, our website uses cookies (including Google Analytics cookies to obtain an overall view of visitor habits and visitor volumes to our website). ‘Cookies’ are small pieces of information sent to your computer and stored on its hard drive to allow our website to recognise you when you visit. You can switch these cookies of by setting your browser preferences.

Contacting us

Our Data Protection subject matter expert looks after all aspects of Data Protection for us. If at any time you wish to access, update or delete the information that we hold, please contact us at the contact details below. If this information is not accurate or complete, you may ask us to amend it. Please contact the below named privacy officer.

For any questions please contact us at:

Privacy Officer
CyberCX Ltd
Phone: +44 (0)1865 987180
Email: [email protected]
Mail: Home Park, Grove Road, Bladon, OXFORDSHIRE, OX20 1FX

Ready to get started?

Find out how CyberCX can help your organization manage risk, respond to incidents and build cyber resilience.