Privacy Policy

(Updated: 20/05/2024)

Marketing

No data will ever be shared or used for direct marketing purposes by us or any third parties.

In the event that the service is acquired by another entity with a different Privacy Policy, account owners will be advised of the changes and given the option to close their accounts.

New products and services from us will only be mentioned from within the service itself rather than via email or other messaging channels.

Sharing

No data will ever be shared or used by other entities, except where required to provide the service.

Metrics may be collected in aggregate and shared between customers after de-identifying that data, such as to allow a maturity comparison between organisations within and across industries.

Data Collected

Metadata associated with the usage of the service are captured, logged, archived and analysed to aid in the maintenance and evolution of the service.

User names and email addresses are provided via authentication services and may be stored in logs and audit trails. These are required for authentication, authorisation and attribution purposes.

Some contact information may be stored for the purposes of incorporating that data into reports and documents.

All other data collected is provided by the end users or automated systems integrated with the service. These may include internal security details, such as controls implemented, the maturity of those controls along with the system and information assets they apply to. 

Subprocessors

This section of our Privacy Policy outlines how the Cybersecurity Office SaaS solution utilises subprocessors to provide certain features and services, specifically in relation to the use of OpenAI's API. We are committed to maintaining the privacy and security of your personal and commercial data when using our services.

OpenAI API Usage

We use the OpenAI API as a sub-processor to enhance our services in the following scenario:

• AI Assisted Tasks and Suggestions: When you initiate a task that requires AI processing to generate suggestions, we send contextual information from the system, which may include customer data, to the OpenAI API. For example, when you request that a set of tasks be grouped into related WorkPackages, the relevant Task information will be sent to the OpenAI API.

Any references to the organisation name set in the Tenant profile is masked in any data sent to the OpenAI API, irrespective of the entities within which those matches are found. While it may be possible to infer from other information the owner of the data being sent, there is no direct traceability via this path.

OpenAI API usage has its own policies, including the Data processing addendum. Please refer to these to understand your obligations and rights. The key details to note include:

• Any AI generated data is owned by the customer.
• Any data provided to the OpenAI API for analysis is not used by OpenAI to train their models.
• OpenAI does not “sell” (as such term is defined by U.S. Privacy Laws) or “share” (as such term is defined by the CCPA) Personal Data
• All usage of the OpenAI API is subject to the OpenAI Usage Policies. AI Assistant conversations are stored to ensure compliance with this policy.

Data Retention and Compliance

Conversations with the virtual cybersecurity architect are retained within the Cybersecurity Office system and associated with your login name, which is typically your email address. We retain this data for the following purposes:

1. OpenAI API conversational context: Rather than being session based, the nature of the OpenAI API conversational interaction requires the entire history of a conversation to be resubmitted with every new message. This requires all prior messages to be stored so that they may be resent as part of either a single conversation, or an ongoing conversation over multiple separate Cybersecurity Office sessions.
2. Compliance with OpenAI Terms: OpenAI reserves the right to terminate API keys if consumers send messages that violate their terms of service. We maintain a copy of these conversations to ensure compliance and trace responsibility to end users who may violate these terms.
3. Product Improvement: We use conversation data to improve our services, specifically related to enhancing the handling of specific topics of conversation and addressing areas where the system may not have performed optimally.

Subprocessor Notifications and Updates

We will notify you of any updates or changes to our list of subprocessors, including OpenAI, by providing at least 14 days notice before granting any new subprocessor access to your personal data. If you do not approve of such changes, you may terminate your subscription for the affected offering without penalty by providing written notice of termination, including an explanation of the grounds for non-approval, prior to the expiration of the notice period.

As outlined above, personal information is limited to contact information provided for the purposes of producing reports and other documents.

Subprocessor Responsibility

Cybersecurity Office remains responsible for the compliance of our subprocessors, including OpenAI, with the obligations set forth in this Privacy Policy. We carefully select subprocessors and continuously monitor their data protection practices to ensure that your personal data remains secure and protected.

By using our services, you consent to the use of subprocessors, as described in this Privacy Policy. If you have any questions or concerns regarding our subprocessors or the processing of your personal data, please do not hesitate to contact us.

Data Security

Security Measures

The solution employs defence-in-depth security controls to protect customer data. These measures leverage Azure hosted and implemented coarse and medium-grained controls as well as application specific fine-grained controls within the system.

By utilising OAuth based federated authentication, authentication policies are the responsibility of the customer, along with identity lifecycle management controls over role assignment from within the customer's own Azure Entra ID. Multifactor authentication is enforced, if you have enabled and enforced it for your organisation.

No Perfect Security

While we make every effort to enforce security controls at multiple layers, no system can be completely secure. We can not guarantee that our security measures will prevent all possible security breaches or incidents.

Incident Response

In the event of a security incident that affects customer data, Secure Arc will promptly notify the impacted customers and take appropriate steps to mitigate the impact of the incident.

We will also cooperate with customers to investigate the incident and provide a detailed incident report.

Customer Responsibilities

Customers are responsible for maintaining the security of their own systems and data, including ensuring that personnel use strong passwords, multifactor authentication is enforced, role based access is regularly reviewed, access is revoked for terminated employees in a timely manner and best practices for information security are followed.

Customers with an existing investment in Identity Governance & Administration systems that provide identity lifecycle management processes over their Azure Entra ID users should require minimal changes to support the application role management required to incorporate Cybersecurity Office. No direct integration with the SaaS solution is required.

Complaints

Privacy issues should be raised directly with us from within the service after logging in with your user credentials, or by submitting a support request.

If we are unable to resolve the privacy issue, you may wish to raise it directly with the OAIC.