When you deal with CyberCX you trust us with your information. We take privacy seriously and we are committed to protecting the data you provide us with.
This policy explains when and why we collect personal data about you, how this data is used, the conditions under which it may be disclosed to others, and how it is kept secure.
This policy may change from time to time so please re visit this page occasionally to ensure that you are happy with any changes.
Who we are?
The CyberCX group unites the most trusted cyber security companies to deliver a comprehensive cyber security capability for enterprises and governments across the UK, US and Australia. With a workforce of 600+ cyber security professionals, a footprint of more than 20 offices across the globe, CyberCX offers the ultimate end-to-end cyber security service.
How we collect data.
When we refer to personal data, we refer to information that could identify you directly, such as your name, or indirectly by a certain characteristic combined with information we already hold about you.
We may receive information about you from you or third parties. Where we receive information about you we will only use that information for the purposes we have collected the data.
You provide us with information about yourself when:
Information received from third parties and who those third parties may be.
- you visit our website,
- you engage with us to provide consultant services,
- you enter information via our website – opt in/providing consent.
- you communicate with us via social media, phone or email.
- you become a supplier.
We may automatically collect information about you which may observe, detect or create without directly asking you to supply this information. This information is automatically gained through the use of our website or online services. Please refer to the ‘cookies’ section.
How we use your personal data which is supplied by third parties.
Information received from third parties and who those third parties may be.
- Recruitment companies, as part of the recruitment process
- Employers may provide references about you to Cyber CX
- Clients provide information relating to actual or potential engagement
We are often given contact details from current clients referring us to their clients regarding the consultation services we offer. If you do not wish us to contact you, please use the ‘’opt out’’ tab on our website, or at the bottom of the email you have received.
We are often given contact details from current suppliers with recommendations of additional suppliers. We will only retain your information if we engage with you as a supplier.
We may contact previous/present employers, asking them to provide a reference. If you are unsuccessful at any stage of the process, the information will be retained for 12 months following the closure of the recruitment drive.
How and why we use your personal information.
We may use the information we collect about you in the following ways;
Where it is necessary to perform a contract with you:
We may use and process your personal data where we have supplied you or continue to supply you with any consultancy services. We will use your information in connection with the contract for the provision of the services.
Where we have Legitimate Interest:
We may process your personal data where it is necessary for us to pursue our legitimate interests as a business for example:
- To enter into and perform the contract we have with you or your business
- To carry out work when instructed.
- To create a profile of you based on any preferences you have indicated to us to enable us to decide what products and services to offer to you for marketing purposes.
- To inform you about relevant events
- For network and Information security purposes to enable us to take steps to protect your personal data against loss or damage, theft or unauthorised access.
- To comply with a request from you in connection with you exercising your rights under data protection legislation.
- To ascertain your suitability for a role you have applied for with us.
Sharing personal data with Third Parties
Our work for you may require us to provide information to third parties who will use your information for the purposes of providing services to us or directly to you on our behalf. Such third parties may include for example payment processing, software providers and mailing services.
When we use third parties, we only supply the personal information that is required for them to perform the service. We have contracts in place with such third parties to ensure that your data is secure and protected. And that it is not to be used for any other reason.
We may disclose your personal data to any member of our group of companies (this means our subsidiaries, our ultimate holding company and all its subsidiaries) insofar as reasonably necessary for the purposes, and on the legal bases, set out in this policy.
We may transfer your personal data to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation. We may also transfer your personal data if we are under a duty to disclose or share it to comply with any legal obligation, to detect or report a crime.
Categories of individuals whose data we may collect
|Categories of individuals|
|Job applicants, candidates and pre- hires.|
|Client contact, current and past contacts and prospects – including employees, officers’ agents’ consultants and other professional experts.|
|Vendor, supplier contacts.|
|Members of the press and other organisations. Members of charities, educational institutions, regulators, business intermediaries.|
|Website users and complainants, correspondents and enquirers.|
|Individuals attending CyberCX events.|
|Other third parties|
Categories of data we may process
|Categories of data and processing.||Purposes that data is used for.|
|Personal details – clients and prospects||Name, all types of contact details: email, phone numbers; home landline place of work number, mobile numbers. Contact preferences, preferred medium for communication. Marketing preferences, data relating to services provided. Relationship with CyberCX representative. data related to event, (invitation, attendance, relevant costs). Direct debit details.||Client, supplier and business partner management.|
|Personal details – Vendors, service providers, suppliers, payees, intermediaries.||Name, all types of contact details, such as title, job title email, all categories of phone numbers, home and work address. Data related to invitations for business events. Bank details, invoicing address. Company registration numbers company VAT numbers. Any type of unique identification numbers. Details of relationship to CyberCX.||Client, supplier and business partner management.|
|Personal details – job applicants, candidates, pre-hires||Name, contact details, details contained in letters of application and C.V. potential background check information. internal/external qualifications.||Recruitment.|
|Other individuals||Name, all types of contact details, such as title, job title email, all categories of phone numbers. home and work address. Contact preference. Data relating to interaction or relationship with CyberCX.||Client, supplier and business partner management.
|Marketing||Promoting and providing products and services to actual and potential customers, advertising marketing and PR related activities.||Business marketing and public relations. Building and managing external relationships. maintaining relationships.|
|Accounts and records data. Data relating to vendors, service providers, suppliers’ payees and intermediaries, legal services data.||Order management, including billing credit analysis, shipping account maintenance. Internal administration and accounting for all commercial relationships. Managing and analysing sales and demand, communications, business operations, customer relationship management. conducting internal audits and other internal control activities relating to a contract. management with supplier, vendors subcontractors and business partners. Due diligence for anti-corruption and antibribery purposes. Reporting activities to fulfil finance and account requirements. Risk management and corporate audits and assessments. Legal filing and reporting, purchase order and payment. Internal investigation. Computer system security, including ensuing adequate level of protection of the personal data stored therein. Other services on an ad hoc basis.||Building and managing external relationships. maintaining relationships. Planning and delivering business capabilities. Research and development. Compliance and audit purpose. Internal & external investigations, including liaisons with law enforcement and other Government organisations. Litigation management. Client, supplier and business partner management. Technology infrastructure, security and support. Travel management. Knowledge management. Reporting to Supervisory Authorities. Liaising with regulators/ government departments for routine reporting. Other purposes required and or permitted by law.|
|Data relating to mergers. Ventures and acquisitions.||Management and employment information. Compensation and payroll details Client relationships. Compliance, due diligence. Full company reporting: finance and legal. Risk management, corporate audits. Ensuring adequate protection of data processing activities.||Merger and acquisitioning. Compliance and audit purpose. Internal & external investigations, including liaisons with law enforcement and other Government organisations. Reporting to Supervisory Authorities. Liaising with regulators/government departments for routine reporting. Other purposes required and or permitted by law.|
You will only receive direct marketing information from CyberCX if you indicate to us a preference to do so, via our ‘’Subscribe’’ option on the website. You will be invited to complete a client consent/opt in process by email because of the following:
- Becoming a client.
- Your attendance at an event.
- Providing us with a business card directly to a CyberCX employee or provided at a business event.
- You, registering your brief contact details to obtain information, or free downloads from our website.
- An email request from you to attend an event.
- Your attendance at an event organised or co-hosted by CyberCX that has been promoted via social media or other advertisement.
We may use and process your information where you have consented for us to do so via our consent process. This consent can be withdrawn at any time via our ‘’unsubscribe from the list’’ option.
What are cookies?
A cookie is a small data file that is placed om your computer or device to allow a website to recognise you as a user. Some cookies can tell how often you use the website, the duration of the visit. Cookies are very common way for remembering information about the visitor to the website.
Cookies we use
How to control and delete cookies
If you wish to reduce or block these cookies you can do this through your browser settings. The help section within your browser will show you how to do this. If you would like more information on cookies, please visit www.allaboutcookies.org.
Credit and debt card payment
Direct Debt payments
If you set up a direct debit, your name, bank account number and sort code will be shared electronically with your bank or building society and a third-party processor in order to set up the direct debit mandate.
A copy of your direct debit mandate will also be held by CyberCX to allow us to track any payments made and will be kept in accordance with our data retention policy.
You may cancel a direct debit at any time by informing us and contacting your bank or building society.
Where we store your data
All information you provide to us for our use is stored on secure servers which are located in Australia. Using cloud service providers such as Amazon Web Services (AWS).
The third parties listed under ‘purpose for which CyberCX uses personal data’’ which process your personal data may be located outside of the UK or they may transfer your data outside the UK. Those countries may not have the same standards of data protection and privacy laws as the UK. Which means additional safeguards must be in place. Whenever we transfer your data outside the UK we introduce obligations on the recipients of that data to protect your personal data to the standard that the UK expect.
How long will we retain your data for?
If we collect your personal data, the length of time for which we retain it is determined by a number of factors including the type of data, the purpose for which we use that data and our regulatory and legal obligations attached to this use. The only exception to this is where the law requires us to hold your personal data for a longer period or delete it sooner, or you ask us to delete your data (if applicable).
|Data Category/document type||Retention period|
|Queries||Up to 12 months after query.|
|Client folders||7 Years after termination of contract.|
|Recruitment data||Up to 12 months after candidate application.|
|Supplier||7 years after termination of the contract.|
If your application for employment is successful, the information you provided during the application process will be retained by us as part of your employee file for the duration of your employment.
You have a number of rights in relation to your personal data under data protection legislation. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, or clarification to enable us to find your personal data. Except in rare cases, we will respond to you within one month from either (i) the date that we have confirmed your identity; or (ii) where we do not need to do this because we already have this information, from the date we received your request.
Accessing your personal data:
You have the right to ask for a copy of the data that we hold about you by emailing or writing to us at the address at the end of this policy. We may not provide you with a copy of your personal data if it concerns other individuals or we have another lawful reason to withhold that data. We may charge you a reasonable fee based on administrative costs if you request a copy of data we have previously provided to you or if your request is manifestly unfounded or excessive. In line with our environmental commitments, we will try to provide you with a copy of your data by electronic means where this is possible, unless you have specified otherwise in your request.
Correcting and updating your personal data:
The accuracy of your data is important to us, therefore if you change your name or address/email address, or you discover that any of the other data we hold is inaccurate or out of date, please let us know by contacting us using the details set out at the end of this policy.
Withdrawing your consent:
Where we rely on your consent as the legal basis for processing your personal data, as set out under ‘How we use your personal data’, you may withdraw your consent at any time by emailing or writing to us at the address at the end of this policy. If you withdraw your consent, our use of your personal data before you withdraw your consent is still lawful.
Objecting to our use of your personal data:
Where we rely on our legitimate interests as the lawful basis for processing your personal data for any purpose(s), as set out under ‘How we use your personal data’, you may object to our using your personal data for these purposes by emailing or writing to us at the address at the end of this policy.
You may object to us using your personal data for direct marketing purposes and we will immediately comply with your request. Please refer to the marketing section within this policy.
You may also contest a decision made about you based on automated processing by emailing or writing to us at the address at the end of this policy.
Erasing your personal data or restricting its processing
In certain circumstances, you may ask for your personal data to be removed from our systems by emailing or writing to us at the address at the end of this policy. Please note that this right is not an absolute right. Provided we do not have any continuing lawful reason to continue processing or holding your personal data, we will make reasonable efforts to comply with your request.
You may also ask us to restrict processing your personal data where you believe our processing is unlawful, you contest its accuracy, you have objected to its use and our investigation is pending, or you require us to keep it in connection with legal proceedings. We may only process your personal data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company.
Transferring your personal data in a structured data file:
Where we rely on your consent as the Lawful Basis for processing your personal data or need to process it in connection with your contract, as set out under How we use your personal data, you may ask us to provide you with a copy of that data in a structured data file. We will provide this to you electronically in a structured, commonly used, and machine-readable form.
You can also ask us to send your data to an alternative consultancy provider and we will do this if it is technically possible. We may not be able to provide you with a copy if your data contains information concerning someone else.
Complaining about the use of your personal data.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). However, we would appreciate the chance to deal with your concerns before you approach the ICO, so if you wish to complain about the way we use your personal data, you can e-mail us using the details set out at the end of this policy.
The transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website and any transmission is at your own risk. Once we have received your personal data, we have in place reasonable and appropriate controls to ensure that it remains secure against accidental or unlawful destruction, loss, alteration, or unauthorised access.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Our Data Protection subject matter expert looks after all aspects of Data Protection for us.
For any questions please contact us at:
Phone: +44 (0) 1865 504 032
Email: [email protected]
Mail: Home Park, Grove Road, Bladon, OXFORDSHIRE, OX20 1FX