Group Privacy Policy

CyberCX Pty Ltd (CyberCX) is a global provider of cyber security services with operations in Australia, New Zealand, the United Kingdom and the United States of America. CyberCX’s activities outside Australia are performed by wholly owned subsidiaries of CyberCX. In this policy CyberCX and its wholly owned subsidiaries are collectively referred to as the “CyberCX Group”, “we”, “us” and “our”.

This policy covers the operations of the CyberCX Group. Specific information regarding geographic regions is detailed below.

 

1. Contents at a glance

The following is a summary of this policy. For further detail we encourage you to read the policy in full.

This policy outlines how we manage personal information (also referred to as ‘personal data’), and in particular:

• the types of personal information we collect, use and hold;
• how, when and why we collect, use and hold personal information;
• how, when and why we disclose personal information, including overseas transfers;
• how we secure personal information;
• a person’s right to access their personal information and correct it; and
• how to contact us (including for complaints) regarding privacy matters.

This policy also covers how the CyberCX Group manages personal information when:

• providing services and products for our customers; and
• dealing with our internal business operations (such as employment, events, and procurement).

Many of our services do not involve us collecting personal information, but where necessary for us to do so (including as part of our providing services) we collect, use, hold and disclose personal information of our customers. This can include the personal information of our customers’ own customers, employees and representatives (being “End Users”).

We only use this personal information so we can perform our services for customers. For example, we may use personal information to administer our contracts with a customer, or we may collect (or rather ‘see’) personal information when we are engaged to provide a security monitoring service. We do not copy or hold a customer’s personal information unless it is necessary for the service and only for such time as is necessary (or as required by law).

In many cases we rely on our customers to give or obtain the consents we require to collect, use, hold and disclose personal information. This includes our customers having notified their End Users that they will be disclosing an End User’s personal information to us.

Some of our services make it impracticable to obtain consent directly from an individual – for example if we are engaged to conduct a security penetration or vulnerability test of a database, we would not be able to obtain the consent of the individuals in that database prior to performing the test. We ask our customers to clearly understand our services so that they are aware of any privacy implications and obtain any required consents from their End Users.

As a global company, when we store personal information it will be kept in our Australian based cloud tenancies (provided by our trusted third party vendors, such as Microsoft or Amazon Web Services). We may also use the teams of our overseas subsidiaries as part of our service delivery in specific instances, such as our incident response services or our managed security and/or monitoring services. In such cases, if any personal information is collected it may be accessed by these overseas teams. Some of our services, such as digital forensics endeavour to keep data (including personal information) obtained during an investigation in the local jurisdiction in which the work is being performed.

Outside of our service offerings, for activities such as our internal functions (e.g. employing staff and engaging contractors) and public events (e.g. industry functions) we can collect personal information. The way we collect, use, hold and disclose personal information for those activities will depend on the nature of the activities.

 

2. Policy in detail

2.1 Collection – personal information we collect from our service offerings

We collect personal information based on our different service offerings. Broadly speaking this can be split into two categories:

(1) Business Contact Information or “BCI” being information relating to each person who is involved in procuring or operationalising an engagement with us. This kind of information includes: a person’s name, email, telephone numbers, title, their employer’s name, any authority to sign documents or place orders with us, and any other details the person may disclose to us; and

(2) Scope Dependent Information or “SDI” being information that relates to the personal information of our client’s customers, employees and representatives, which is provided to us or we may see during our engagement due to the nature of the service being supplied. This can include a client’s customer’s: name, email or physical addresses, telephone numbers, banking details, payment card details, government identifiers, health or other sensitive information.

All of our service offerings will involve us collecting BCI, but only some will involve us collecting SDI.

2.2 Collection – personal information we collect outside our service offerings

When an individual interacts with the CyberCX Group outside of our service offerings (such as employing staff and engaging contractors, and our internal functions or public events), we may need to collect certain personal information depending on the nature of the interaction. This information includes:

• Contact Information: including a person’s name, contact details, identification, mailing address, email address, telephone number, and other personal identifiers.
• Online and technical information: affiliations, dealings and transactions with us, including by online, internet protocol address, browser type, domain names, times, interactions with our websites, applications, operating system and other information collected using cookies and similar technologies.
• Biometric identifiers: including facial recognition data, fingerprints, and that obtained via CCTV footage.
• Employment and contractor information:
  • When you apply to work with us (including when applying to join our Academy programs) we collect your contact information, and information about your education, experience, and character, information about your right to work in Australia (such as your citizenship or visa details), referee information, as well as any details or information required for us to conduct background checks or validate any of this information.
  • When you are working for us, we will collect information about your: employment or engagement activities including information about your performance; next of kin and similar contacts; behaviour and conduct (while at work, and if relevant any behaviour outside of working hours that can be reasonably connected to us); use of our IT resources; leave and payroll matters, such as bank and superannuation details, medical certificates and other leave reasons or supporting documents.

For further details that may apply as an employee or contractor, please refer to our internal resources or (as appropriate) request further information during any employment process.

• Interaction information: including visitor logs and information collected when you attend CyberCX Group offices or sponsored events.
• Health information: where a law or government direction (such as a public health order) requires us to do so, we will collect any health information required to be collected under such a law or direction. For example, we may collect a person’s vaccination status when a health order is in effect requiring us to do so, or we may collect information about a person’s chronic health condition or disability when they work for us so we can assist that person in their working role.

2.3 How and when we collect personal information

When providing our services to customers, we collect personal information directly from individuals but may also receive personal information about a person from our customer, or third parties (such as that person’s employer or service provider, information brokers, insurers and government agencies) depending on the circumstances.

Examples of when we collect personal information from an individual include when:

• an individual provides us their details. This could be when an individual contacts us by telephone or electronic communications, or when an individual provides us a business card;

• an individual (or an organisation they represent) buys services from us, or sells goods or services to us;
• an individual creates any type of account with us;
• we process orders and payment transactions;
• we obtain feedback about our solutions and services;
• an individual registers for our events, workshops and seminars;
• an individual applies to work for us, or during the course of their employment with us.

We may also collect personal information about an individual from a customer or third parties when:

• that person uses our services or products whilst working for or interacting with one of our customers;
• an organisation the person buys goods or services from or interacts with is our customer;
• a person’s details are used as contact details or when signing for receipt of any products or services we provide (such as by couriers or third party software licence vendors);
• third parties make inquiries of us about a person (for example, law enforcement agencies or parties undertaking reference or character checks);
• we engage with data or information brokers or providers, credit reporting bodies or recruitment companies; or
• we use publicly available sources of information.

We may also automatically collect information about a person’s activity on our website through the use of cookies, for example we may collect and use information about a person’s language preferences, login information, or time spent viewing certain webpages. Please refer to our Cookies Notice for more information about our use of cookies (available online at: https://cybercx.com.au/cookies/).

2.4 How we use the personal information we collect

CyberCX Group uses personal information:

• for the purposes we have collected it for under a customer engagement, or an actual or potential employment relationship;
• where the individual has expressly consented to its use and collection, in the manner set out in that consent;
• to improve, develop, and provide our services;
• for BCI, to inform and contact our customers, their employees and other contacts regarding insights, events, and marketing activities relating to our business and services, in addition to other uses in this policy;
• as part of our activities when we tender for work, where such tender calls for the provision of referees, testimonials, or endorsements (and provided we have been given permission by the relevant individual providing their details);
• when forming part of threat intelligence, we may use this information for analysis, providing alerts, investigations, generating reports for internal and external purposes, and other security activities in relation to a cyber security threat or threat actor;
• to carry out our internal business functions, such as customer or employee onboarding (including financial due diligence, or background checks), and other purposes set out in an employee privacy notice;
• to process and respond to any privacy questions or complaints from an individual about their personal information; and
• to the extent relevant, to fulfil any legal duty or obligation required of us under an applicable law, regulation, accounting standard or the rules of a stock exchange.

2.5 How we disclose personal information

We may disclose personal information to a third party in order to fulfil our contractual or legal obligations, or our business activities. These third parties include:

Third party category	Examples of purposes for disclosure
CyberCX Group’s third party suppliers for the provision of products or services to our customers	To our product vendors when an individual or their company orders their products, so as to facilitate the transaction and licensing allocation; and to inform that individual or their company of related product opportunities.
CyberCX Group’s third party suppliers for our internal activities	Where our employees are required to undertake a background check – our third party background check providers. Where a person requires access to a building or facility – our third party building owners or facility managers. Where a person requests to attend an offsite event – the owners or managers (including their agents) of such external events and related facilities.
An individual’s current or former employer or another nominated person	When considering whether to employ an individual we may conduct reference and character checks with associates who know the individual.
CyberCX Group’s external professional advisors and representatives	Where we require legal, financial, accounting or professional advice.
Government agencies or authorities (in regions in which we operate)	Where we are required by law or a legal instrument to disclose information, or we are permitted to do so under a law and it is appropriate to do so (such as where an individual is at risk of, or at risk of causing harm).
CyberCX Group’s group of companies	As part of our business operations and service delivery, we may share personal information within our corporate group. This includes our subsidiaries located overseas (see below for more information on international transfers).

 

Other than the examples provided above, we will only disclose personal information to other third parties where the law requires it, if it is required for a legal proceeding, to prove or protect our rights or to any buyers or potential buyers in the event that we seek to sell all or part of our business.

International Data Transfers

CyberCX Group’s head office is based in Australia. We may transfer personal information:

• between any of our corporate group members, located in the Regions below;
• to a third party vendor located in another country where: we have been asked to provide a product or service; and it is necessary for us to pass on this information to facilitate this supply, to that country.

Other than Australia, our corporate group members located in:

• United Kingdom of Great Britain and Northern Ireland;
• United States of America; and
• New Zealand,

each a Region.

Data processors and hosting

CyberCX Group uses AWS and Microsoft for our cloud hosting. Our Microsoft 365 tenancy is located in Australia, and we utilise AWS instances in each of our Regions to store specific types of data and personal information.

We also utilise other service providers located around the world as listed on our Sub-processors page.

 

3. Your right to access and correct your personal information

Individuals have the right to request access to, or the correction of, the personal information we hold about them. To do so, please see the Contact Us section below.

This is not a comprehensive statement of an individual’s rights in relation to their personal information – individuals located in different countries may have additional rights under their local laws if they apply to us.

 

4. How we store and secure your personal information

We hold personal information electronically and in hard copy form, both at our own premises and digitally in our cloud hosting with the assistance of our third party service providers.

We are ISO 27001 certified. This means we have a system to manage risks related to the security of data handled by us, and that this system respects all the best practices and principles enshrined in this internationally recognised standard, and our conformity with such practices and principles have been assessed by an independent third party audit.

The management of our environment is also aligned with standards such as the Australian Government’s Essential Eight (E8), and Information Security Manual (ISM).

We have systems in place to: audit and monitor access to information we hold; identify, and if required, block information from leaving our systems; prohibit unauthorised access from persons external or internal to our systems; encrypt, log and as needed, delete or anonymise information; and we otherwise keep personal information secure while it is being stored and encrypted while in transit.

 

5. Contacting us

5.1 Access or correction requests

A request to access or correct personal information about an individual must be made to the Privacy Officer in writing (contact details below).

Any requests must identify the person making the request so we can be satisfied that they have a right to access the personal information about them. We may take steps to validate a person’s identity, including by engaging one of our third party providers to assist.

A request should also contain a description of what personal information the individual believes we hold so we can consider how access can be provided or whether correction is appropriate.

5.2 Direct Marketing & Opting out

We may send you emails concerning our products and services, events and other engagement activities if you have provided us with your contact details. We may also send you any service-information that you have requested from us (such as threat intelligence feeds, or industry updates). You have the right to opt out of receiving marketing communications from us – the process for opting out will be included in the communications.

5.3 Right to withdraw consent or “Opt Out”

Where an individual has given their consent to allow us to collect, use, disclose, process or otherwise manage their personal information (anywhere in the world), they may withdraw that consent at any time by completing our online opt-out form. This link can also be used to opt out of any direct marketing.

If consent is withdrawn we may not be able to provide products or services in part or full.

5.4 Complaints

If a person believes we have mismanaged the handling of their personal information they may complain to us about our handling of their personal information by writing to the CyberCX Group Privacy Officer.

When we receive a complaint we will:

• Conduct an initial assessment of the complaint (including ensuring the complaint is by the person to whom the personal information belongs).
• Notify the complainant that their complaint has been received and what actions CyberCX Group will take next (such as requiring more information, dismissing the complaint, or commencing an investigation).
• Where we decide to investigate the complaint we will notify the complainant of the estimated duration, and provide periodic updates on the complaint’s status. On completion of a complaint investigation, we will provide the complainant with a summary of our findings and determination.

After notifying CyberCX Group of a complaint, if an individual is not satisfied with the way we have handled the complaint they may complain to the applicable Privacy Regulator (see Geographic Region Specific Notices below).

5.5 Minors

We do not intentionally or knowingly collect or gather personal information about visitors who are minors. If a minor has provided us with personal information, their parent or guardian may contact our Privacy Officer.

5.6 Contact CyberCX

Privacy Officer
CyberCX Pty Ltd
Phone: 1300 031 274

Email: [email protected] *

Mail: Level 4, 330 Collins Street, Melbourne VIC 3000 *

* Please do not include any sensitive information within your email or mail.

 

6. Geographic Region Specific Notices

6.1 Australia

If you have filed a complaint with us and we do not adequately answer your concerns, you will have the right to make a complaint in writing to the Office of the Australian Information Commissioner (www.oaic.gov.au).

6.2 European Union (EU) and United Kingdom of Great Britain and Northern Ireland (UK)

For individuals in the EU, we adhere to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, known as the General Data Protection Regulation (the “GDPR”) and only collect and process personal data about users in the EU when we have a legal basis for doing so under Article 6 of the GDPR.

For users in the UK, we adhere to the GDPR as enshrined in the Data Protection Act 2018 as relevant (also referred to as the “GDPR”).

When transferring your personal data to another country, if you are located in the UK or the European Union we will only transfer your personal data if:

• the country your personal data is being transferred to has been deemed to have adequate data protection by the European Commission or, if you are in the UK, by the UK adequacy regulations; or
• we have implemented appropriate safeguards to govern the transfer. For example, the recipient is a party to binding corporate rules, or we have entered into standard EU or UK data protection contractual clauses with the recipient.

We will not otherwise transfer your data save in a manner in accordance with the GDPR.

We have not appointed a Data Protection Officer as we do not fall within the categories of controllers and processors required to appoint a Data Protection Officer under Article 37 of the GDPR.

Under the GDPR, you have the following additional rights;

• Right to be informed
• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability and

6.3 Right to object UK complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

6.4 New Zealand

Where you are an individual that New Zealand privacy law applies to, you may make a complaint to us about a breach of the New Zealand information privacy principles by contacting us through our Contacting Us details. We will investigate your complaint and endeavour to resolve any issue to your satisfaction. If we do not adequately answer your concerns, you have the right to make a complaint to the New Zealand Privacy Commissioner (https://www.privacy.org.nz/).

6.5 United States of America

Residents of certain U.S. states have rights to access, delete, correct, or opt-out from certain types of processing or sharing of their personal data. These rights may be substantially similar to those we work with in other jurisdictions, however for individuals in the United States we wish to clearly state these for your comfort.

Depending on your state of residency and subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights:

Access your personal data. You may request to access a copy of your personal data we maintain about you. Additionally, you may request more information about:

• the categories and specific pieces of personal data we have collected about you,
• the categories of sources from which personal data is collected, and
• the categories of entities with whom we share personal data.

You can also request more information about categories of entities who use your personal data for other purposes (for example, joint marketing, joint offerings, etc.) for valuable considerations. This information may be delivered by mail or electronically at your request.

Right to correct your personal data. You may submit a request to correct inaccurate personal data.

Right to delete your personal data. You may request that we delete your personal data. Deleting this data may impact our ability to provide services to you.

Where we are permitted by law to do so, we will retain certain data about you to complete transactions relating to our services, detect security issues, prevent illegal or fraudulent activities, identify and repair errors on our services, comply with relevant laws and regulations, and for other internal and lawful purposes.

Right to op-out from certain sharing of your personal data. We may disclose your personal data to our business partners (which include third party vendors and third providers that provide services to us) who use it for purposes relevant to our services (for example, joint marketing, joint services offerings, etc.). However, we will not disclose your personal data to third parties for purposes unrelated to our services, or in exchange of monetary value.

Right to limit the use and disclosure of sensitive personal data. As noted in section 2.1 above, some of our services may involve the collection of “sensitive personal data” as part of the work we have been asked to do. In doing this work, we have been informed by the party that collected your data (our customer), that they have notified you of such disclosures to us and obtained your opt-in consent.

In certain states, such as Virginia, California and Utah, you may have specific rights under state law concerning your right to opt-in consent, and the right to request the use and further disclosure of your data be limited. You can exercise this right by notifying our customer and then notifying our Privacy Officer.

Right to appeal your request. Residents of certain states may appeal our decision to decline to take action on a privacy-related request by you within a reasonable time after your receipt of the decision. Below is a summary of your rights based on your state of residency:

Colorado, Connecticut, and Virginia (effective as of July 1, 2023 in Colorado and Connecticut):

• Right to access, delete or correct your personal data
• Right to opt-out of sale of personal data for money
• Right to opt-out of targeted advertising
• No discrimination
• Right to appeal.

Utah (effective as of December 31, 2023):

• Right to access or delete personal data
• Right to opt-out of sale of personal data
• Right to opt-out of targeted advertising
• No discrimination.

California:

• Right to access, delete correct or delete personal data
• Right to opt-out of sale of personal data
• Right to opt-out of sharing of personal data for targeted advertising
• Right to limit the use of sensitive personal data
• No discrimination.

6.6 Your Privacy Right Under the California Shine the Light Act

How to Know If My Data Has Been Disclosed for Direct Marketing Purposes:

Subject to certain limitations under California Civil Code § 1798.83, if you are a California resident and have an established business relationship with us, you may ask us to provide you with:

• a list of certain categories of personal data that we have disclosed to certain third parties for their direct marketing purposes during the immediately preceding calendar year, and
• the identity of certain third parties that received personal data from us for their direct marketing purposes during that calendar year.

To make such a request, please contact our Privacy Officer.

6.7 Complaints

For individuals in California, if you are not satisfied with the outcome of a complaint you have made to us, you may submit a complaint with the California Privacy Protection Agency (https://privacy.ca.gov/)