No data will ever be shared or used for direct marketing purposes by us or any third parties.
In the event that the service is acquired by another entity with a different Privacy Policy, account owners will be advised of the changes and given the option to close their accounts.
New products and services from us will only be mentioned from within the service itself rather than via email or other messaging channels.
No data will ever be shared or used by other entities, except where required to provide the service.
Metrics may be collected in aggregate and shared between customers after de-identifying that data, such as to allow a maturity comparison between organisations within and across industries.
Metadata associated with the usage of the service are captured, logged, archived and analysed to aid in the maintenance and evolution of the service.
User names and email addresses are provided via authentication services and may be stored in logs and audit trails. These are required for authentication, authorisation and attribution purposes.
Some contact information may be stored for the purposes of incorporating that data into reports and documents.
All other data collected is provided by the end users or automated systems integrated with the service. These may include internal security details, such as controls implemented, the maturity of those controls along with the system and information assets they apply to.
This section of our Privacy Policy outlines how the Cybersecurity Office SaaS solution utilises subprocessors to provide certain features and services, specifically in relation to the use of OpenAI's API. We are committed to maintaining the privacy and security of your personal and commercial data when using our services.
We use the OpenAI API as a sub-processor to enhance our services in the following scenario:
Any references to the organisation name set in the Tenant profile is masked in any data sent to the OpenAI API, irrespective of the entities within which those matches are found. While it may be possible to infer from other information the owner of the data being sent, there is no direct traceability via this path.
OpenAI API usage has its own policies, including the Data processing addendum. Please refer to these to understand your obligations and rights. The key details to note include:
Conversations with the virtual cybersecurity architect are retained within the Cybersecurity Office system and associated with your login name, which is typically your email address. We retain this data for the following purposes:
We will notify you of any updates or changes to our list of subprocessors, including OpenAI, by providing at least 14 days notice before granting any new subprocessor access to your personal data. If you do not approve of such changes, you may terminate your subscription for the affected offering without penalty by providing written notice of termination, including an explanation of the grounds for non-approval, prior to the expiration of the notice period.
As outlined above, personal information is limited to contact information provided for the purposes of producing reports and other documents.
Cybersecurity Office remains responsible for the compliance of our subprocessors, including OpenAI, with the obligations set forth in this Privacy Policy. We carefully select subprocessors and continuously monitor their data protection practices to ensure that your personal data remains secure and protected.
By using our services, you consent to the use of subprocessors, as described in this Privacy Policy. If you have any questions or concerns regarding our subprocessors or the processing of your personal data, please do not hesitate to contact us.
Privacy issues should be raised directly with us from within the service after logging in with your user credentials, or by submitting a support request.
If we are unable to resolve the privacy issue, you may wish to raise it directly with the OAIC.