Privacy Notice for CyberCoach in Slack

This is a description of how our CyberCoach and we at Cult Security as its hosts and creators handle your personal information and what we do to protect it.

CyberCoach has two “sides”: your coach and your trainer. (No, not like Jekyll and Hyde, both of them are fun and friendly.) As your coach, the CyberCoach answers your questions. This side is anonymous. As your trainer, you work through fictional training scenarios together with CyberCoach to learn about security and privacy. Your organization may need to know who has completed what training, so we may provide that information at the end of the training if you allow us to do so.

From both coach and trainer sides, we aggregate dashboard views for your organization. We encourage the admin of your organization to share these views with you for transparency, and take care that no individual can be identified from these organization and role/unit level graphs. Read on for more details on how we protect your information and only process the very minimum needed to provide you with a stellar service.

What do you know about me and why?

We want you to be able to ask anything and learn without pressure, so we work extra hard to ensure you remain anonymous. Even though you are logged into your organization’s Slack when you chat with CyberCoach, CyberCoach does not collect or store your name or account information during your conversation.

We at Cult Security do not know who you are or what you discuss with CyberCoach, because the only identifier we store for users is your Slack User ID. This is a random string of characters, which we cannot connect to your name or other identifying personal information.

The table below summarizes the kind of data we process, why we need to process it, and for how long we maintain it.

What	Why	How Long
Session ID, duration of the conversation, information on completion/dropping out	For us to develop CyberCoach, diagnose issues, and keep the service up. Also to aggregate organization-wide usage analytics for your organization.	As long as your organization has the service in use, and the maximum of 90 days after.
IP address	For us to diagnose issues, and keep the service up. Not combined with your training data or with what you have discussed with CyberCoach.	90 days
Slack ID	To record training scenario completion. CyberCoach will make it very clear if this information is required and ask you specifically if you still wish to proceed.	As long as your organization has the service in use, and the maximum of 90 days after.
Training scores, right or wrong answers	To record training completion.	As long as your organization has the service in use, and the maximum of 90 days after.
Name and email address (if your organization has enabled this)	This feature is optional for admins. If you are not sure whether this feature is enabled or not, you will need to contact the admin of your organization. To record training completion (yes/no). Not combined with your other training data or with what you have discussed with CyberCoach.	As long as this setting is enabled. The data will be deleted immediately after the setting is deactivated, or a maximum of 90 days after the end of the contract.

Where is my data?

We store and process CyberCoach usage data in the highly security-certified Microsoft Azure cloud, and ensure that your CyberCoach usage data does not leave the EU/ETA in compliance with the requirements of the EU General Data Protection Regulation (GDPR). If you do not want your personal data processed by us in the EU, please do not use CyberCoach and contact your organization's admin or HR. 

Your IP address may be processed by Cloudflare separate from your identifiable personal data and CyberCoach usage data for securing your web-based CyberCoach session. This processing may take place in the United States. To opt out of this, you can use CyberCoach within Slack without opening the application in the browser.

What are my rights?

Right to be informed	We need to be transparent about what we do with your data, notify you of what your rights are and how you can exercise them. This document explains all that.
Right to rectification	We can’t help you much here. CyberCoach and we at Cult Security only process automatically generated data (log information) and information passed down from your organization, so anything inaccurate needs to be corrected at the source by contacting your organization’s IT.
Right to be forgotten	We are able to identify you only if your organization has elected to store emails in the training records. In that case we can delete all your data: your email address and which trainings you have completed. Contact your organization admin first.
Right of access and data portability	The EU General Data Privacy Regulation grants you the right to receive a copy of information you provide to a service provider in a digital format. While CyberCoach receives input from you, we don't know what is your data, so we cannot provide access or copies. All information you have inputted is available to you through Microsoft Teams or Slack as long as your chat session remains open, and you will be able to copy it from there.
Right to restriction of processing	This one is quite simple. We do not process identifiable personal information, so processing can only be further restricted by you electing not to use the service. Please do so and talk to us or a representative from your organization in case you have concerns before returning to using the service.
Automated decision-making or profiling	CyberCoach does not judge. Or profile, or make decisions impacting you.