Privacy policy
1. ABOUT US
1.1 CFC Security is a specialist cyber incident response service provider which trades under the name of either Solis or CFC Response. We provide pragmatic and innovative solutions to our customers across the world.
In this Privacy Notice references to “we” or “us” or “our” are to:
as appropriate.
This Privacy Notice (the “Notice”) sets out how we process the personal data of our customers and, where relevant, website visitors and CFC Response app users (“Users”). Residents of the State of California should also refer to the CCPA Addendum, available here.
1.2 The data controller will be the company that originally collected your information and will be listed on the documentation provided to you. If you have any questions about this Notice, please contact dataprotection@cfc.com.
2. WHAT INFORMATION DO WE PROCESS
Personal Data
2.1 We will process personal data when you are introduced to us for one of our products or services, or in the course of providing you with one of our products or services.
The types of information we process under paragraph 2.1 above may include:
2.2.1 Information you provide us when you are introduced to us, including names, phone number, email address or other information provided by you in connection with our potential engagement;
2.2.2 Information you provide us to help us carry out our obligations under any contract in place between us and you; and
2.2.3 Information you provide us through our CFC Response app.
2.3 We may also process personal data as part of our Forensics and Security Information Response Services, from your hard drives, servers, networks and/or computer systems to enable us to:
2.3.1 carry out our obligations under any contract in place between us and you; and
2.3.2 find patterns and correlations in data sets through the use of data mining technology.
The types of personal data that we may process under paragraph 2.3 above will depend upon what data is stored on your computer hard drives, servers, networks and/or computer systems and may include:
2.3.1 Information that is visible to us from the live customer environment;
2.3.2 Any information that you hold (which may include personal data) or which can otherwise by accessed on your services, hard drives, networks and/or computers (including but not limited to employee data and communications);
2.3.3 Information that is contained within personnel email accounts to which we are granted administrative access; and
2.3.4 Information that is copied from your server in the course of our forensic investigation.
2.4. Where such information is present on your hard drives and/or computer systems, we may also process special categories of personal data (as defined in the GDPR) about your employees, customers and/or other third parties. This may also be used to find patterns and correlations in data sets through the use of data mining technology.
2.5 The processing of special categories of personal data under paragraph 2.4 will only be incidental to the services we provide to you. Such processing may be necessary where we have been instructed to carry out data mining activities for you, to identify what data has potentially been exposed in a data breach. The processing of special categories of personal data may also take place in connection with any Forensics and Security Information Response Services that we provide to you and will only be processed for the purposes of the provision by us of those Forensics and Security Information Response Services.
2.6 We may also collect data (such as IP and/or infrastructure data) which is sufficiently anonymised and/or aggregated such that the data subject cannot be identified directly or indirectly from it. Further information about our use of cookies is included in our Cookie Notice
3. GROUNDS FOR PROCESSING
3.1 To process your data lawfully we need to rely on one or more valid legal grounds. Our primary legal ground is that we need the data to fulfil our contract with you or to take certain steps prior to entering our contract with you. However, there may be circumstances where we also rely on other valid legal grounds, such as:
3.1.1 our legitimate interests as a business (except where your interests or fundamental rights override these). For example, it is within our legitimate interests to use your data to prevent or detect fraud or abuses of our CFC Response app and/or website; or
3.1.2 your consent, or the consent of your employees, customers and/or other third parties, where legally required to obtain consent; or
3.1.3 our compliance with a legal obligation to which we are subject. For example, if we have a duty to provide information pursuant to a Court order and need to process your data as part of such request.
3.2 In addition to the above legal grounds, where we process special categories of personal data as part of our data mining activities and/or Forensics and Security Information Response Services such processing will be incidental to the services we provide and we may do so where the processing is necessary:
3.2.1 to comply with, or assist you to comply with, a regulatory requirement to take steps to establish whether a person has committed an unlawful act or been involved in seriously improper conduct and consent cannot reasonably be expected to be obtained and it is necessary for reasons of substantial public interest; or
3.2.2 for an insurance purpose and for reasons of substantial public interest and such processing can reasonably be carried out without data subject consent.
4. DISCLOSURE OF YOUR INFORMATION
4.1 There are circumstances where we may wish to disclose or are compelled to disclose your personal data to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios include disclosure:
4.1.1 to members of the CFC Group and their and our respective branches or associated offices including CFC regional incident response labs where data will be stored physically;
4.1.2 to our outsourced service providers or suppliers to facilitate the provision of our services or products to you including to external forensic vendors where their engagement is necessary in connection with our provision of services to you;
4.1.3 to third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons;
4.1.4 to online incident response share repositories;
4.1.5 to another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution or similar event. In the case of a merger or sale, your personal data will be permanently transferred to a successor company;
4.1.6 to legal advisors who you have instructed in connection with any cyber incident;
4.1.7 to public authorities where we are required by law to do so; and
4.1.8 to any other third party where you have provided your consent.
5. INTERNATIONAL TRANSFER OF PERSONAL DATA
5.1 We may need to transfer your personal data internationally, either within the CFC Group or to third parties, as envisaged by paragraph 4. Where required by applicable law, we ensure that your data protection rights are adequately protected by appropriate technical, organisation, contractual or other lawful means including by:
a) ensuring that transfers related to UK and EU data subjects within the CFC Group are subject to the EU Commission’s standard contractual clauses, and the ICO’s international data transfer addendum,
b) where we need to send your personal data to third parties who are involved in providing you with services, we require them to provide contractual commitments that preserve your privacy rights, including by incorporating standard contractual clauses where required.
If you would like to know more about how we protect your personal data and privacy rights, and for a copy of the safeguards we have in place, please contact dataprotection@cfc.com
6. INFORMATION FOR MARKETING PURPOSES
6.1.Where you have consented to us using your personal data for marketing purposes, we may use your information as follows:
to provide you with information, products or services that you request from us or which we feel may interest you; and
for market research purposes, where we may contact you to ask for your feedback.
If at any time after you have consented to us using your information for marketing purposes you wish us to stop using your information for these purposes, you will always be able to unsubscribe by clicking on the unsubscribe link within the marketing emails you receive from us.
7. RETENTION OF PERSONAL DATA
7.1 If you are, or have previously been, a customer of ours then we may continue to hold and process your information for the purpose of continuing to carry out our obligations in connection with the contract between us and you. We will continue to hold and process your information for the duration of the contract and for a reasonable period of time afterwards as required by law.
7.2 We may keep an anonymised form of your personal data, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.
8. DATA SUBJECT RIGHTS
8.1 Data protection law provides UK and EU data subjects with specific rights in relation to their personal information, including the right to: access, rectify, erase, restrict, transport, and object to the processing of, their personal data. Individuals also have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data is not being processed in accordance with applicable data protection law. For residents of California, please see the CCPA Addendum.
8.1.1 Right to make subject access request (SAR). Where we are processing your personal data as a data controller you may, where permitted by applicable law, request copies of your personal data. If you would like to make a SAR, i.e. a request for copies of the personal data we hold about you, you may do so by writing to us at dataprotection@cfc.com. The request should make clear that a SAR is being made. You may also be required to submit a proof of your identity and a fee.
8.1.2 Right to rectification. You may request that we rectify any inaccurate and/or complete any incomplete personal data.
8.1.3 Right to withdraw consent. You may, as permitted by applicable law, withdraw your consent to the processing of your personal data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent. Please note that if you withdraw your consent, we may not be able to provide all of the services under the contract entered into between us and you for which the processing of your personal data is essential.
8.1.4 Right to object to processing. You may, as permitted by applicable law, request that we stop processing your personal data.
8.1.5 Right to erasure. You may request that we erase your personal data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your personal data, such as a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.
8.1.6 Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we process your personal data. However, you do have the right to contact the relevant supervisory authority directly.
9. LINKED WEBSITES
Please note that any websites that may be linked to our websites are subject to their own privacy policy.
10. CHANGES TO THIS NOTICE
We may update this Notice from time to time to ensure that it remains accurate. Please check back regularly so you are fully aware of any changes.
This Notice was last updated on: 15 May 2024