Privacy Policy

Recordkeeping Protocol:

We will only collect personal information of clients and customers and employees that is necessary to accomplish our legitimate business transactions or to comply with any and all federal and state and local laws.

Within 30 days of the publication of or any update to the WISP, the Data Security Coordinator or his/her designee shall perform an audit of all relevant company records to determine which records contain personal information, assign those files to the appropriate secured storage location, and redact, expunge or otherwise eliminate all unnecessary personal information in a manner consistent with the WISP.

Any personal information stored shall be disposed of when no longer needed for business purposes or required by law for storage. Disposal methods must be consistent with those prescribed by the WISP.

No personal information will ever be transferred to paper or any media other than COMPANY secured electronic devices.

All electronic media and other non-paper media containing personal information shall be destroyed or erased so that personal information cannot practicably be read or reconstructed. 

Electronic records containing personal information shall not be stored or transported on any portable electronic device, sent or transmitted electronically to any portable device, or sent or transported electronically to any computer, portable or not, without first being encrypted. The only exception shall be where there is no reasonable risk of unauthorized access to the personal information or it is technologically not feasible to encrypt the data as and where transmitted.

Disclosure of Personal Information to Third Parties (If applicable):

In practice, our company does not disclose personal information to third parties. COMPANY is committed to handling personal information responsibly and minimizing disclosures to only those that are strictly necessary and permitted under applicable data protection frameworks, including the Data Privacy Framework (DPF) Program.

In the event that COMPANY determines it is necessary to disclose personal information to a third party, COMPANY will:

  • Provide individuals with prior notice of such disclosure, including the name or category of the third party and the purpose of the disclosure;

    1. Ensure the third party provides the same level of privacy protection as required under the DPF Principles;

    2. Enter into a written agreement with the third party to ensure that personal information is used only for the authorized purposes and is safeguarded appropriately.

    3. If COMPANY does transfer personal information to a third party acting as an agent on COMPANY's behalf, COMPANY shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.

Any such disclosures, if made, will be limited to:

  • Service providers performing services on our behalf (e.g., IT support, data hosting), and only where necessary for the performance of those services;

    1. Legal or regulatory authorities when required to comply with legal obligations, subpoenas, or lawful requests.

COMPANY does not sell personal information to third parties, and COMPANY will never disclose personal information for purposes that are materially different from those stated at the time of collection without obtaining your consent.

Individual Choice and Opt-Out Rights (If applicable):

In accordance with the Data Privacy Framework (DPF) Principles, individuals have the right to choose (opt out of): 

  • (If applicable) The disclosure of their personal information to third parties not acting as agents on behalf of COMPANY; and

    1. The use of their personal information for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the

To exercise this opt-out right, individuals may contact us at: Legal@activecyber.com

COMPANY will honor opt-out requests in accordance with the DPF Principles and applicable law, and will not use or disclose personal information for any materially different purpose without obtaining the individual's affirmative consent where required.

 

Access Control Protocol:

All our computers shall restrict user access to those employees having an authorized and unique log-in ID assigned by the Data Security Coordinator.

Access to electronically stored records containing personal information shall be electronically limited to those employees having an authorized and unique log- in ID assigned by the Data Security Coordinator.

To the extent applicable to each device type, all laptop and other computing: (i) will be equipped with a minimum of AES 128 bit full hard disk drive encryption and will have pre- boot pin based authentication; (ii) will have industry standard up to date virus and malware detection and prevention software installed with virus definitions updated no less than every three (3) calendar days; and iii) shall maintain software so as to remain on a supported release. This shall include, but not be limited to, the obligation to promptly implement any applicable security-related enhancement or fix made available by supplier of such software.

 

A detailed description of the nature and circumstances of the security breach or unauthorized acquisition or use of personal information;

  • The steps already taken relative to the incident;

    1. Any steps intended to be taken relative to the incident subsequent to the filing of the notification; and

    2. Information regarding whether law enforcement officials are engaged in investigating the

    3. Any corresponding notifications made to partner entities (Cloud , etc) that might be impacted by the breach.

COMPANY already has a consistent level of data protection and security across our organization, but we have introduced new measures to ensure compliancy.

  • Information Audit — We carried out audit to make sure we continue to not store any personal data on our computers.

    1. Policies and Procedures — we have revised data protection policies and procedures to meet the requirements and standards of the GDPR and any relevant data protection laws, including:

      • Data Protection - our main policy and procedure document for data protection has been revised to meet the standards and requirements of the Accountability and governance measures are in place to ensure that we understand and adequately disseminate and evidence our obligations and responsibilities; with a dedicated focus on privacy and the rights of individuals.

      • Data Retention and Erasure – our policy is not to store any personal data on our

      • Data Breaches - our procedures ensure that we have safeguards in place to identify, assess, investigate and report any personal data breach as early as possible. Our procedures have been explained to all employees.

      • International Data Transfers and Third-Party Disclosures - where COMPANY stores or transfers personal information outside the EU, we have robust procedures in place to secure the integrity of the data.

      • Subject Access Request (SAR) - we have revised our SAR procedures to accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge

    2. Privacy Notice/Policy - our Privacy Notice complies with the GDPR, ensuring that all individuals whose personal information we may need to process and retain will be informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.

    3. Obtaining Consent - we will seek consent before obtaining personal data, ensuring that individuals understand what they are providing, why and how we use it and giving clear, defined ways to consent to us processing their information

    4. Direct Marketing – we will not use any personal data for direct marketing. 

    5. Data Protection Impact Assessments (DPIA) - where we process personal information that is considered high risk, we have developed stringent procedures for carrying out impact assessments that comply fully with the GDPR's Article 35 We have implemented documentation processes that record each assessment, allow us to rate the risk posed by the processing activity and implement mitigating measures to reduce the risk posed to the data subjects.

    6. Processor Agreements – we will not engage third parties to process personal data. 


Data Subject Rights

If we hold any personal data, we would provide easy-to-access information via our website of an individual’s right to access any personal information that COMPANY processes about them and to request information about:

  • what personal data we hold about them

    1. the purposes of the processing

    2. the categories of personal data concerned

    3. the recipients to whom the personal data has/will be disclosed

    4. how long we intend to store your personal data for

    5. if we did not collect the data directly from them, information about the source

    6. the right to have incomplete or inaccurate data about them corrected or completed and the process for requesting this

    7. the right to request erasure of personal data (where applicable) or to restrict processing in accordance with data protection laws, as well as to object to any direct marketing from us and to be informed about any automated decision-making that we use

    8. the right to lodge a complaint or seek judicial remedy and who to contact in such instances

Information Security and Technical and Organizational Measures

COMPANY takes the privacy and security of individuals and their personal information very seriously and take every reasonable measure to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorized access, alteration, disclosure or destruction.

Legal basis for processing personal information (EEA visitors only)

If you are a visitor from the European Economic Area, our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it.

However, we will normally collect personal information from you only (i) where we need the personal information to perform a contract with you (including to provide Services), (ii) where the processing is in our legitimate interests and not overridden by your rights, or (iii) where we have your consent to do so. In some cases, we may also have a legal obligation to collect personal information from you or may otherwise need the personal information to protect your vital interests or those of another person.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

If we collect and use your personal information in reliance on our legitimate interests (or those of any third party), this interest will normally be to operate our Sites and Services and to communicate with you as necessary to provide our Sites and Services to you and for our legitimate commercial interest, for instance, when responding to your queries, improving our Sites and Services, undertaking marketing, or for the purposes of detecting or preventing illegal activities. We may have other legitimate interests, and if appropriate we will make clear to you at the relevant time what those legitimate interests are.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the “How to contact us” heading below.

How does COMPANY keep my personal information secure?

We use appropriate technical and organizational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. When you enter sensitive information (such as login credentials), we encrypt the transmission of that information using secure socket layer technology (SSL).

We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once we receive it. No method of transmission over the internet or method of electronic storage is 100% secure, however. Therefore, we cannot guarantee its absolute secrecy. If you have any questions about security on our Sites, you can contact us at shawn.matthew@activecyber.com.

International data transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are a resident. These countries may have data protection laws that are different from the laws of your country and, in some cases, may not provide the same level of protection. 

Specifically, our Sites and Services are hosted in the USA, and our group companies and third- party service providers and partners operate around the world. The data we collect from you may be transferred to, and stored at, a destination outside the EEA. It may also be processed by staff operating outside the EEA who work for us or for one of our service providers.

However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. These include EU-US Data Privacy Framework Principles, as well as APEC participation.

EU-U.S. Data Privacy Framework Principles


COMPANY complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. COMPANY has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit website.

COMPANY is responsible for the processing of personal data it receives, under each Data Privacy Framework Principles, and subsequently transfers to a third party acting as an agent on its behalf. COMPANY complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Data Privacy Framework Principles, COMPANY is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, COMPANY may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the EU-U.S. DPF, COMPANY commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF in the context of the employment relationship.

In compliance with the EU-U.S. DPF, COMPANY commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF to ICDR- AAA's IRM, an alternative dispute resolution provider based in United States. If you do not receive timely acknowledgment of your DPF Principles-related compla int from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit website for more information or to file a complaint. The services of ICDR-AAA's IRM are provided at no cost to you. 


Under certain conditions, more fully described on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

Data retention

As long as your account remains active, or to comply with applicable legal, tax, or accounting requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Your data protection rights

  • Depending on the country in which you reside, you may have the following data protection rights:

    • If you wish to access, correct, update, or request deletion of your personal These rights can be exercised by contacting us at the contact details provided under the “How to contact us” heading below.

    • In addition, you can object to processing of your personal information, ask us to restrict processing of your personal information, or request portability of your personal information. Again, you can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below.

    • You have the right to opt out of marketing communications we send you at any time. You can exercise this right by sending us an email at matthew@activecyber.com, or you can unsubscribe by following instructions contained in the message you received. We do reserve the right to send you certain communications relating to the Services, such as service announcements and administrative messages, that are considered part of your account membership, and we do not offer you the opportunity to opt out of receiving those messages.

    • Similarly, if we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

    • You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the European Economic Area, and certain non-European countries (including the S. and Canada) are available here.

How to contact us

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. The data controller of your personal information is Active Cyber LLC.

If you have any questions about our GDPR compliance policies, please contact Shawn Mathew at 214-646-3353 or shawn.mathew@activecyber.com via email.

 

 

APPENDIX A
Partner Specific Security Directives

Cloud Application

In addition to the policies and procedures outlined above, all COMPANY Cloud Application consultants are required to adhere to the following security practices and directives

  1. Only authorized COMPANY consultants are permitted access to Cloud Application tenants, Projector and any other third-party applications used to support Cloud implementations or development activities. 

    1. COMPANY consultants will be diligent in ensuring the confidentiality, availability and integrity of Cloud client data. Specific requirements for ensuring the security of Cloud client personal data (any information related to client practices, client financial data and client users are): 

      1. No client personal data shall be resident on a consultant laptop is physically secured. No personal data should be resident on a laptop while it is in transit, whether in a consultant's car, an airport, or any other mode of transportation.

      2. No client personal data shall be resident on consultant laptop unless that laptop is logically secured. All consultant laptops must maintain a valid anti-virus application that is running auto-update mode to ensure maintaining the most recent virus and malware protection files. 

      3. All consultants must utilize encrypted mechanisms for the storage and transmission of Cloud client personal data. Any files stored on laptops, desktops, or any sort of removable storage must be secured via encryption (password protected zip files, etc.) File transmission tools must be encrypted (SFTP, PGP, HTTPS, etc).

    2. Any indication of any potential threat to, or exposure of, Cloud client personal data must be reported to the COMPANY Data Security Coordinator (Shawn Mathew).