Privacy Notice for CyberCoach Product
So this is a description of how our CyberCoach and we at Cult Security as its hosts and creators handle your personal information and what we do to protect it.
CyberCoach has two “sides”: your coach and your trainer. (No, not like Jekyll and Hyde, both of them are fun and friendly.) As your coach, the CyberCoach answers your questions. This side is anonymous. As your trainer, you work through fictional training scenarios together with CyberCoach to learn about security and privacy. Your organization may need to know who has completed what training, so we may provide that information at the end of the training if you allow us to do so.
From both coach and trainer sides, we aggregate dashboard views for your organization. We encourage the admin of your organization to share these views with you for transparency, and take care that no individual can be identified from these organization and role/unit level graphs. Read on for more details on how we protect your information and only process the very minimum needed to provide you with a stellar service.
What do you know about me and why?
We want you to be able to ask anything and learn without pressure, so we work extra hard to ensure you remain anonymous. Even though you are logged into your organization’s Microsoft Teams or Slack when you chat with CyberCoach, CyberCoach does not collect or store your name or account information during your conversation.
We at Cult Security do not know who you are or what you discuss with CyberCoach, because the only identifier we store for users is your Teams or Slack User ID. This is a random string of characters, which we cannot connect to your name or other identifying personal information.
The table below summarizes the kind of data we process, why we need to process it, and for how long we maintain it.
| What | Why | How Long |
|---|---|---|
| Session ID, duration of the conversation, information on completion/dropping out | For us to develop CyberCoach, diagnose issues, and keep the service up. Also to aggregate organization-wide usage analytics for your organization. | As long as your organization has the service in use, and the maximum of 90 days after. |
| IP address | For us to diagnose issues, and keep the service up. Not combined with what your training data or with what you have discussed with CyberCoach. | 90 days |
| Slack or Teams ID | To record training scenario completion. CyberCoach will make it very clear if this information is required and ask you specifically if you still wish to proceed. | As long as your organization has the service in use, and the maximum of 90 days after. |
| Training scores, right or wrong answers | To record training scenario completion. | As long as your organization has the service in use, and the maximum of 90 days after. |
Where is my data?
We keep and process everything in highly security-certified Microsoft Azure Cloud, and make sure nothing leaves the EU/ETA.
What are my rights?
| Right to be informed | We need to be transparent about what we do with your data, notify you of what your rights are and how you can exercise them. This document explains all that. |
| Right to rectification | We can’t help you much here. CyberCoach and we at Cult Security only process automatically generated data (log information) and information passed down from your organization, so anything inaccurate needs to be corrected at the source by contacting your organization’s IT. |
| Right to be forgotten | We are not able to identify your data, which means we cannot delete it either. |
| Right of access and data portability | The EU General Data Privacy Regulation grants you the right to receive a copy of information you provide to a service provider in a digital format. While CyberCoach receives input from you, we don't know what is your data, so we cannot provide access or copies. All information you have inputted is available to you through Microsoft Teams or Slack as long as your chat session remains open, and you will be able to copy it from there. |
| Right to restriction of processing | This one is quite simple. We do not process identifiable personal information, so processing can only be further restricted by you electing not to use the service. Please do so and talk to us or a representative from your organization in case you have concerns before returning to using the service. |
| Automated decision-making or profiling | CyberCoach does not judge. Or profile, or make decisions impacting you. |
Question or beef?
You can reach us at privacy[at]cultsecurity.com