Privacy Policy | XySec - Enterprise-Grade Cybersecurity

1. Introduction

xysec ("we," "our," or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:

Visit our website at xysec.io
Use our assessment platform at https://assessment.xysec.io
Access our client portal at https://manage.xysec.io
Engage with our cybersecurity consulting services

We act as the data controller for your personal information. This policy complies with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Australian Privacy Act 1988.

By using our services, you agree to the collection and use of information in accordance with this policy. For questions about our privacy practices, please contact us at contact@xysec.io.

2. Information We Collect

We collect several categories of personal information to provide our cybersecurity services. The specific data collected and the lawful bases for processing are detailed below:

Data Collection Categories

Category	Data Collected	Lawful Basis
Contact Information	Name, Email address, Phone number, Company name	Consent, Contract Performance
Professional Information	Job title, Company size, Industry sector	Legitimate Interest
Communications	Form messages, Inquiry details, Email correspondence	Consent, Contract Performance
Technical Data	IP address, Browser type, Device information, Operating system	Legitimate Interest
Assessment Data	Security assessment responses, Uploaded documents, Scan results	Contract Performance

Automatically Collected Information

When you visit our website, we automatically collect:

IP address and geolocation (approximate)
Browser type, version, and language
Device information and operating system
Pages visited, time spent, and click patterns
Referring website and search terms
Web vitals metrics (LCP, FID, CLS, FCP, TTFB) for performance monitoring

3. Lawful Bases for Processing (GDPR Article 6)

Under GDPR, we must have a lawful basis for processing personal data. Our lawful bases are:

Processing Activity	Lawful Basis	Description
Contact form responses	Consent (Article 6(1)(a))	Explicit consent via form submission
Service delivery	Contract (Article 6(1)(b))	Performance of service agreements
Security monitoring	Legitimate Interest (Article 6(1)(f))	Protection against fraud and security threats
Marketing communications	Consent (Article 6(1)(a))	Opt-in newsletter subscription
Legal compliance	Legal Obligation (Article 6(1)(c))	Tax, accounting, regulatory requirements
Analytics	Legitimate Interest (Article 6(1)(f))	Service improvement

4. Data Retention Policies

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

Data Type	Retention Period	Legal Basis
Contact form submissions	2 years after last contact	Contractual, record-keeping
Client assessment data	7 years after engagement ends	Professional liability requirements
Website analytics	12 months	Service improvement
IP address logs	12 months	Security purposes
Email communications	3 years	Record-keeping
Payment records	7 years	Tax/legal requirements
Client portal accounts	Until account deletion + 30 day grace	Service delivery
reCAPTCHA tokens	7 days	Fraud prevention

Deletion Procedures: We use automated deletion scripts for expired data and implement secure deletion methods including cryptographic erasure where applicable. Backups are retained for 30 days before permanent deletion.

5. How We Use Your Information

We use your personal information for the following purposes:

Service Delivery

Providing cybersecurity consulting and advisory services
Conducting risk assessments and security audits
Managing security operations and monitoring
Granting access to the client portal and assessment platform
Delivering vCISO and governance services

Communication

Responding to your inquiries and support requests
Sending service notifications and updates
Providing security alerts relevant to our clients
Sending newsletters and marketing communications (with your consent)

Security and Fraud Prevention

Verifying identity and preventing fraudulent activity
Protecting against bot attacks using reCAPTCHA Enterprise
Monitoring for security threats and vulnerabilities
Complying with security obligations and industry standards

Analytics and Improvement

Monitoring website performance using Web Vitals
Analysing usage patterns to improve user experience
Developing new services and features

Legal Compliance

Complying with tax, accounting, and regulatory requirements
Responding to legal requests and regulatory inquiries
Enforcing our Terms of Service and other agreements

6. Third-Party Service Providers

We use trusted third-party service providers to help us operate our business and deliver our services. These providers have access to personal information only to perform specific tasks on our behalf and are obligated to protect your data.

Service	Purpose	Data Shared	Safeguards
Supabase Inc. Australia region (configurable)	Database hosting and authentication	Contact submissions, Authentication data, Client portal data	Privacy Policy Standard Contractual Clauses, AWS infrastructure
Google Cloud United States	reCAPTCHA Enterprise verification	IP address, Device information, Browser data	Privacy Policy EU-US Data Privacy Framework, SCCs
Vercel Inc. United States	Website hosting and deployment	Minimal processing data	Privacy Policy Data processing agreement available

Data Processing Agreements: We have executed Data Processing Agreements (DPAs) with all third-party processors that handle personal data on our behalf. These agreements include Standard Contractual Clauses (SCCs) for international data transfers.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to enhance your experience, provide security, and analyse usage. Below is a detailed breakdown of the cookies we use:

Cookie Type	Purpose	Provider	Duration
Essential Cookies(Required)	Authentication, session management, security	xysec.io	Session - 30 days
Security Cookies(Required)	reCAPTCHA Enterprise verification	Google	Session
Analytics Cookies	Web Vitals performance monitoring	xysec.io	12 months
Preference Cookies	User settings, language preferences	xysec.io	12 months

Managing Cookies

You can control and manage cookies through your browser settings. Note that disabling essential cookies may prevent website functionality. Here are links to instructions for major browsers:

8. Your Privacy Rights (GDPR)

Under GDPR, you have specific rights regarding your personal data. We respect and will facilitate these rights upon verified request.

Right	Description	How to Exercise
Right of Access	Receive a copy of your personal data	contact@xysec.io
Right to Rectification	Correct inaccurate or incomplete data	contact@xysec.io
Right to Erasure	Request deletion of your personal data ("Right to be Forgotten")	contact@xysec.io
Right to Restrict Processing	Limit how we use your data	contact@xysec.io
Right to Data Portability	Receive your data in a structured, machine-readable format	contact@xysec.io
Right to Object	Object to processing based on legitimate interest	contact@xysec.io
Rights Related to Automated Decision Making	Human review rights for automated decisions	contact@xysec.io

Response Timeframes

We will respond to your request within 30 days of receipt. For complex requests, this period may be extended by an additional 60 days, in which case we will notify you within the initial 30-day period.

Verification Process

To protect your privacy, we may request information to verify your identity before granting access to or making changes to your personal information. Authorized representatives may submit requests on your behalf with proper authorization.

9. California Consumer Privacy Act (CCPA) Rights

If you are a California resident, you have specific rights under the CCPA and California Privacy Rights Act (CPRA).

Your CCPA Rights

Right to Know: You may request details about the categories of personal information we have collected, used, and shared.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
Right to Opt-Out: You may opt-out of the sale of personal information. Note: XySec does NOT sell personal information, so this right is not applicable.
Right to Non-Discrimination: You will not be discriminated against for exercising your privacy rights.

Notice: We Do Not Sell Personal Information

XySec has never sold, and does not sell, personal information. We do not have a "Do Not Sell My Personal Information" link because we do not engage in the sale of personal data.

Authorized Agents

California residents may designate an authorized agent to make requests on their behalf. We will verify the agent's authority before processing the request.

10. Data Security

As cybersecurity professionals, we implement industry-leading security measures to protect your information. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

Security Measures

Security Layer	Measures Implemented
Encryption	TLS 1.3 for data in transit, AES-256 for data at rest
Access Control	Role-based access, least privilege principle
Authentication	Secure password hashing, session management via Supabase
Network Security	reCAPTCHA Enterprise, rate limiting (5/15 min)
Monitoring	Regular security audits, vulnerability scanning
Data Minimization	Only collect data necessary for stated purposes

Regular Security Practices

Regular security audits and penetration testing
Continuous vulnerability scanning and monitoring
Employee security awareness training
Incident response procedures and business continuity planning
Row Level Security (RLS) enabled on all database tables

11. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for all international transfers.

Data Locations

Primary Storage: Supabase Australia region (Sydney)
Authentication: Supabase Auth (Australia)
Security Services: Google Cloud reCAPTCHA (United States)
Hosting: Vercel Edge Network (global distribution)

Transfer Mechanisms

For transfers from the European Economic Area (EEA) to countries without an adequacy decision, we implement:

Standard Contractual Clauses (SCCs): European Commission-approved contractual clauses with all third-party processors
EU-US Data Privacy Framework: For transfers to US services certified under the framework
Adequacy Decisions: Utilization of EC adequacy decisions where applicable

12. Client Data Protection

For clients engaging our managed services, we maintain additional privacy and security commitments for your data.

Managed Services Commitments

Confidentiality: All client data is processed under strict confidentiality obligations
Data Segregation: Multi-tenant isolation at the database level with Row Level Security
Access Logging: All access to client data is logged and audited
Data Return/Deletion: Upon engagement termination, client data is returned or securely deleted per contractual terms
Sub-processing: Limited to essential service providers with Data Protection Impact Assessments (DPIAs)

Client Portal Privacy

The client portal (https://manage.xysec.io) operates under the same privacy principles with additional client-specific access controls. Each client has isolated access to their own data with a complete audit trail available upon request.

13. AI-Specific Privacy Considerations

Given our expertise in AI security, we maintain specific policies regarding the use of AI technologies in our services.

AI Training Data

We do NOT train AI models on client data without explicit consent. Client data used for AI security services (Security By AI) is processed for the specific service delivery and is not incorporated into any machine learning training datasets without separate written agreement.

AI-Generated Insights

Security assessments may include AI-generated findings and recommendations
All AI-generated outputs are subject to human review before delivery to clients
Clients may request human review of any AI-based decisions affecting their assessment results
We maintain transparency about when AI is used in our service delivery

AI Transparency

When AI tools are used in providing our services:

We disclose the use of AI in relevant service documentation
We explain the limitations of AI-based assessments
We provide human oversight and intervention capabilities
We maintain an appeal process for AI-based decisions

14. Children's Privacy

Our services are not directed to individuals under 18 years of age. Under the Australian Privacy Principles and other applicable regulations, we do not knowingly collect personal information from children.

If we discover that we have collected personal information from a child under 18 without parental consent, we will take immediate steps to delete that information. If you believe we have collected information from a child, please contact us at contact@xysec.io.

15. Do Not Track Signals

Some web browsers include a "Do Not Track" (DNT) signal that communicates your privacy preferences to websites.

Current Policy: We do not respond to browser DNT signals because there is no consistent legal or technical standard for how websites should implement DNT. Additionally, DNT signals are not universally adopted across all browsers and platforms.

Alternative: To opt-out of analytics tracking, please contact us at contact@xysec.io. We will honour your request to disable tracking cookies for your browser.

16. Data Breach Notification

In the unlikely event of a data breach involving your personal information, we follow established notification procedures based on applicable regulations.

Scenario	Timeline	Method
GDPR (high-risk breach)	Within 72 hours of discovery	Email + website notice + regulatory authority
CCPA (California residents)	Without unreasonable delay	Email + website notice
Australian affected	As required under Privacy Act 1988	OAIC notification if eligible

Breach Response Process

Immediate containment and investigation of the breach
Risk assessment to determine potential harm to individuals
Regulatory authority notification where required
Individual notification for high-risk breaches
Documentation and implementation of prevention improvements

17. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, applicable laws, or regulatory requirements.

Notification Methods

Posting the updated policy on this page with a new "Last updated" date
Email notification for material changes (if you have provided your email)
Website notice for significant policy changes

Material changes will take effect at least 30 days after notice. Your continued use of our services after the effective date constitutes acceptance of the updated policy. Prior versions of this policy are available upon request.

18. Glossary

Key terms used in this Privacy Policy:

Personal Data / Personal Information

Any information relating to an identified or identifiable natural person.

Processing

Any operation performed on personal data, such as collection, storage, use, or deletion.

Data Controller

The entity that determines the purposes and means of processing personal data.

Data Processor

A third party that processes personal data on behalf of the controller.

Data Subject

The individual to whom personal data relates.

Cookie

A small text file stored on your device when you visit a website.

IP Address

A unique numerical label assigned to each device connected to a computer network.

Sensitive Personal Information

Information that requires higher protection, such as health, biometric, or government identifiers.

19. Contact Us

If you have questions about this Privacy Policy, our privacy practices, or would like to exercise your privacy rights, please contact us:

xysec

Email: contact@xysec.io

Phone: (03) 9018 6364

Website: https://xysec.io

Regulatory Authorities

If you have unresolved concerns about our privacy practices, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction:

Australia: Office of the Australian Information Commissioner (OAIC) - oaic.gov.au
Europe: Your local data protection supervisory authority
California: California Attorney General - oag.ca.gov