Privacy Notice for CyberCoach Product
So this is a description of how our CyberCoach and we at Cult Security as its hosts and creators handle your personal information and what we do to protect it.
CyberCoach has two “sides”: your coach and your trainer. (No, not like Jekyll and Hyde, both of them are fun and friendly.) As your coach, the CyberCoach answers your questions. This side is anonymous unless you want human assistance in resolving the issue and specifically allow CyberCoach to forward that request within your organization. As your trainer, you work through fictional training scenarios together with CyberCoach to learn about security and privacy. Your organization may need to know who has completed what training, so we may provide that information at the end of the training if you allow us to do so.
From both coach and trainer sides, we aggregate dashboard views for your organization. We encourage the admin of your organization to share these views with you for transparency, and take care that no individual can be identified from these organization and role/unit level graphs. Read on for more details on how we protect your information and only process the very minimum needed to provide you a stellar service.
What do you know about me and why?
We want you to be able to ask anything and learn without pressure, so we work extra hard to ensure you remain anonymous. Even though you are logged into your organization’s Microsoft Teams or Slack when you chat with CyberCoach, CyberCoach does not collect or store your name or account information during your conversation.
We at Cult Security do not know who you are or what you discuss with CyberCoach, unless
you specifically allow CyberCoach to assist you in reporting security issues or requesting further support. In that case we need to pass your name, e-mail and issue information based on the discussion (you will be able to preview this before submitting) forward to the appropriate service in your organization. We will delete this information from our systems within 48 hrs.
you have completed a training scenario and wish to push this record to your organization’s training or HR system. We will also delete this information within 48 hrs of submitting it to your organization.
The table below summarizes the kind of data we process, why we need to process it, and for how long we maintain it.
| What | Why | How Long |
|---|---|---|
| Session ID, duration of the conversation, information on completion/dropping out | For us to develop CyberCoach, diagnose issues, and keep the service up. Also to aggregate organization-wide usage analytics for your organization. | As long as your organization has the service in use, and the maximum of 90 days after. |
| IP address | For us to diagnose issues, and keep the service up. Not combined with what you have discussed with CyberCoach. | 90 days |
| Name and organizational email address | To record training scenario completion. Also if you wish CyberCoach to help you forward a ticket for you to receive further assistance. CyberCoach will make it very clear if this information is required and ask you specifically if you still wish to proceed. | As long as your organization has the service in use, and the maximum of 90 days after. |
| Training scores, right or wrong answers | To record training scenario completion. | As long as your organization has the service in use, and the maximum of 90 days after. |
Where is my data?
We keep and process everything in highly security-certified Microsoft Azure Cloud, and make sure nothing leaves the EU/ETA.
What are my rights?
| Right to be informed | We need to be transparent about what we do with your data, notify you of what your rights are and how you can exercise them. This document explains all that. |
| Right to rectification | We can’t help you much here. CyberCoach and we at Cult Security only process automatically generated data (log information) and information passed down from your organization, so anything inaccurate needs to be corrected at the source by contacting your organization’s IT. |
| Right to be forgotten | We got you covered! Everything that could possibly be used to identify you (IP address, or in the case you have asked CyberCoach to pass your information within your organization for further assistance, your name and e-mail address) gets automatically deleted after 48 hrs. |
| Right of access and data portability | The EU General Data Privacy Regulation grants you the right to receive a copy of information you provide to a service provider in a digital format. While CyberCoach receives input from you, everything is deleted from our systems within 48 hrs. This information you have inputted will still remain available to you through Microsoft Teams or Slack as long as your chat session remains open, and you will be able to copy it from there. |
| Right to restriction of processing | This one is quite simple. We only process information you can be identified from when you use CyberCoach and 48 hrs after. As the information collected is already strictly minimized, and you are in full control of when CyberCoach is allowed to know who you are, this processing can only be further restricted by you electing not to use the service. Please do so and talk to us or a representative from your organization in case you have concerns before returning to using the service. |
| Automated decision-making or profiling | CyberCoach does not judge. Or profile, or make decisions impacting you. |
Question or beef?
You can reach us at privacy[at]cultsecurity.com