Privacy and Terms

1. Introduction and Who We Are
   
2. The Personal Data That We Collect About You, Purpose(s) and Lawful Bases
3. The Recipients, or Categories of Recipients, of Your Personal Data
4. Transfers of Your Personal Data Outside the EU/EES
5. How Long We Keep Your Personal Data
6. Your Rights Under the GDPR
7. Your Right to Complain to Integritetsskyddsmyndigheten
8. Personal Data That You May Be Obligated by Law or Contract to Provide
9. Our Automated Decision-Making and Profiling Actions
10. Cookies

1. Introduction and Who We Are

Truesec Group (hereinafter jointly, "Truesec", "Group" or "we/us") is a market-leading and highly regarded company that focuses on cybersecurity, secure infrastructure, and secure development. It is our purpose to help our customers within each respective field by providing world-class products and services, and we always let our purpose guide us in our work. For more information about us, please see the “About Us” section of our website at https://www.truesec.com/about-....

This privacy notice explains how Truesec, in the capacity of data controller, collect, use, maintain, and disclose the personal data from you if you buy and/or use our products and services, visit our website, fill out one of our online forms, subscribe to our newsletters, and attend any of our events. For the purpose of this notice, Truesec means the companies set out below.

If you have any questions, wish to exercise any of your rights under the EU General Data Protection Regulation (EU) 2016/679 (hereinafter, the "GDPR") in relation to our processing of your personal data, or otherwise wish to come into contact with Truesec regarding our processing of your personal data, please also find contact details to us below.

Name:	Joint Addresses:	Joint Contact Details:
Truesec Group AB (company reg. no. 556690-8074)	Oxtorgsgränd 2 SE-111 57 Stockholm Sweden	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.se
Truesec AB (company reg. no. 556676-3073)
Truesec Infrastructure AB (company reg. no. 559048-7079)
Truesec Detect AB (company reg. no. 559121-7046)
Truesec Inspect AB (company reg. no. 559148-3788)
Truesec HTI AB (company reg. no. 559305-2656)
Truesec IoT AB (company reg. no. 559361-8589
Truesec Development AB (company reg. no. 556919-7311)	Torggatan 4 SE-211 40 Malmö Sweden	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.se
Säkerhetskontoret i Sverige AB (company reg.no. 556959-1125)	Sandelsgatan 16 SE-115 34 Stockholm Sweden	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.se
Truesec A/S (company reg. no. 42823007)	Klokkerbakken 100 DK-8210 Århus V Denmark	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.se
Truesec Oy (company reg. no. 3298888-5)	Keilaniementie 1 FI-02150 Espoo Finland	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.se
Truesec GmbH (company reg. no. HRB 205565)	Rosenheimerstraße 143c DE-81671 Munich Germany	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.se
Truesec Norway AS (company reg. no. 930 577 294)		Tele: +46 (0)8 10 00 10 Email: privacy@truesec.se

2. The Personal Data That We Process About You

We process your personal data in order to be able to provide our products, services and events at the world-class level that our customers, event participants, newsletter subscribers and website visitors have come to expect and rely on.

In this work, we process personal data that we have either been provided by you or your employer, or that we have collected about you ourselves.

2.1 Personal Data Provided by You or Your Employer

When the company that you work for become a customer of Truesec, you or your company will typically provide the following data to us:

• Contact information, e.g., email address, telephone number, professional title and geographic location.
• Identity information, e.g., name and/or information regarding language requirements.
• Customer-related information, e.g., invoice details, payment details and order history, as well as your areas of expertise.

When you subscribe to one of our newsletters, you will provide the following data to us:

• Identity information, i.e.., name, company and professional title.
• Contact information, i.e., email address and telephone number.
• Areas of interest and expertise, e.g., offers and events that you are interested in or have signed up for.

When you fill out an online form on our website or otherwise upon our request or a third party’s request who is acting on our behalf, you will provide the following data to us:

• Identity information, i.e., name, company and professional title.
• Contact information, i.e., email address and telephone number.
• Areas of interest and expertise, i.e., offers and events that you are interested in or have signed up for.

When you sign up to attend one of our online or on-site events, you will provide the following data to us:

• Identity information, e.g., name, company and professional title.
• Contact information, e.g., email address and telephone number.
• Health information, e.g., allergies and dietary restrictions.
• Interest areas, e.g., offers and events that you are interested in or have signed up for.

When you are invited to and use our digital customer platform, you or your employer will provide the following data to us:

• Identity information, e.g., name, company and professional title.
• Contact information, e.g., email address and telephone number.

2.2 Personal Data collected About You or Generated Through Your Visit to Our Website, Fill Out Forms, Use Our Platform, or Interact With Our Newsletters

Considering the nature of our products and services, offering, e.g., 24/7 monitoring and detection services, pentesting services, incident response services, and infrastructure services, we will typically collect, view, analyze and otherwise process the personal data that is stored or otherwise processed in our customers’ IT environments and systems. With this in mind, the following data is such data that we typically have access to at some point when providing our services to your company:

Information regarding you as an employee that is stored in your company’s IT systems and databases

• contact information, e.g., email address, telephone number and professional title
• identity information, e.g., name, age, gender, nationality and/or information regarding language requirements
• other identifying information, e.g., IP address, MAC address and endpoint identity
• email correspondence and other communications that are logged or otherwise saved.

When you visit our website, we will collect the following data:

• IP address
• Data regarding your usage of Truesec websites (i.e. cookies), including
  • Pages that you have visited
  • Time spent on each page
  • Which links you click on
  • Which page you leave when you view a new one
  • Which browser you use.

When you use our digital customer platform, we may collect the following data:

• Attributes from Azure AD, e.g., Microsoft Azure ID number.

When you interact with our newsletters as you receive them, we will typically collect the following data:

• Information about how you interact with our newsletter, what deals you are interested in, and what links you click on.

3. How We Use Your Personal Data

3.1 Purposes and Lawful Bases

When your company becomes, or already is, a customer of Truesec, these are the most important purposes for which we process your personal data:

1. To verify your identity and authority to act on behalf of your employer. For this purpose, we process contact and identity information that you or your employer have provided to us.
2. To administrate your employer’s customer relationship with us, including customer care and customer support. For this purpose, we process contact and identity information, invoice and payment details, order details, and order history.
3. In relation to our business operations. For this purpose, we use identity, contact, and customer-related information in connection with offers/tenders, marketing and advertising of our products, services, and events, the development and improvement of our products, services, and events, long-term cooperative projects, when planning, executing and evaluating projects undertaken together with your employer, in relation to necessary legal documents such as NDAs when you may visit our premises as part of a project between your employer and us, as well as in matters related to claims and litigation.
4. Profiling, automated decision-making, and targeted marketing. For this purpose, we process identity and contact information, as well as customer-related information.
5. For bookkeeping and tax purposes. For this purpose, we process invoice and payment details, order details, and order history.

The lawful basis for 1, 2, and 3 above is that it is necessary in order to perform and administer our customer agreement with your employer and perform our legal obligations under, e.g., the Bookkeeping Act and Income Tax Act. Such personal data about you that we have processed during our provision of, e.g., monitoring or incident response services, will never be processed for any of the purposes above or otherwise for any other purpose than providing the contracted services to your employer.

The lawful basis for 2 and 3 above is also that we have a legitimate interest to develop and improve, as well as market and advertise our products, services, and events.

The lawful basis for 4 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

The lawful basis for 5 above is to perform our legal obligations.

If you would like to know more about our profiling measures, please see Section 9 below.

When you subscribe to one of our newsletters, these are the most important purposes for which we process your personal data:

1. To verify your identity. For this purpose, we process the contact and identity information that you have provided to us.
2. In relation to our business operations. For this purpose, we use identity and contact information, as well as information regarding your areas of interest and expertise, in connection with providing the requested newsletter(s) and in connection with the marketing and advertising of our products, services, and events, and the development and improvement of our products, services, and events, as well as performing market analyses, research and market statistics.
3. Profiling, automated decision-making, and targeted marketing. For this purpose, we process identity and contact information, as well as customer-related information.

The lawful basis for 1 and 2 above is our legitimate interest.

The lawful basis for 2 and 3 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about our profiling measures, please see Section 9 below.

When you fill out an online form on our website(s) or sign up for or show interest in an event, these are the most important purposes for which we process your personal data:

1. To verify your identity. For this purpose, we process the contact and identity information that you have provided to us.
2. In relation to our business operations. For this purpose, we use identity and contact information in connection with providing the answer or information requested in the form and in connection with the marketing and advertising of our products, services, and events and the development and improvement of our products, services, and events, as well as performing market analyses, research, and market statistics.
3. Profiling, automated decision-making, and targeted marketing. For this purpose, we process identity, contact information, and customer-related information.

The lawful basis for 1 and 2 above is our legitimate interest.

The lawful basis for 2 and 3 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about our profiling measures, please see Section 9 below.

When you visit our website(s), these are the most important purposes for which we process your personal data:

1. Website performance. For this purpose, we process information from cookies to analyze your behavior on our website(s) and which of our pages, services, products, and events are most interesting to our website visitors.
2. User experience and overall user-friendliness. For this purpose, we process information from cookies to analyze your behavior on our website(s) and which of our pages, services, products, and events are most interesting to our website visitors.

The lawful basis for 1 and 2 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about cookies, please see Section 10 below.

3.2 Processing for Marketing Purposes and Sending Out Newsletters

You have the right at any time to stop us from contacting you for marketing purposes and from sending you more newsletters. If you no longer wish to be contacted for marketing purposes or if you wish to unsubscribe from our newsletters, please email us at privacy@truesec.com.

You will also be provided with the opportunity to unsubscribe from our newsletter in each and every newsletter by clicking the "Unsubscribe" button.

3.3 Email Address Management Policy

When you provide us with your email address, we will handle it accordingly:

• Your email address will not be sold, distributed, or otherwise made available to companies outside the Group that are not our direct business partners that need your email address in order for us to provide our products, services, and events or otherwise provide such information that you have requested from us.
• Mailouts are done using technologies that hide your email address from other subscribers.

4. The Recipients, or Categories of Recipients, of Your Personal Data

Sometimes we send your personal data to our partners and service providers (so called ”third parties”). This is only done to the extent necessary for us to improve, update, sell, market, and provide our products, services and events. Below is a list of categories of such third party recipients:

• Business partners, to provide state-of-the-art technological and cybersecurity tools and capabilities to customers of our products and services
• Financial systems, for our invoice and payment administration as well as to comply with applicable accounting and tax laws
• Advertising agencies, for the advertising and marketing of our services and products
• Other business-related systems and tools, to manage sales contacts and to manage, plan, and register events
• Selected web analytics system, to improve user experience and user friendliness, as well as improving marketing measures and our services and products offering
• Selected data analytics system, to improve user experience and user friendliness, as well as improving marketing measures and our services and products offering
• Selected event management partners, to administer and manage events, including invites and streaming of live and recorded events
• Our web host, to host our website(s)
• Legal, technical and business partners, to safeguard our legal interests and to detect and prevent, as well as to stop, fraud and other security and technical issues.
  1. The recipients, or categories of recipients, of your personal data
     
  Sometimes we send your personal data to our partners and service providers (so called ”third parties”). This is only done to the extent necessary for us to improve, update, sell, market, and provide our products, services and events. Below is a list of categories of such third party recipients:
  
  • Business partners, to provide state-of-the-art technological and cybersecurity tools and capabilities to customers of our products and services
  • Financial systems, for our invoice and payment administration as well as to comply with applicable accounting and tax laws
  • Advertising agencies, for the advertising and marketing of our services and products
  • Other business-related systems and tools, to manage sales contacts and to manage, plan, and register events
  • Selected web analytics system, to improve user experience and user friendliness, as well as improving marketing measures and our services and products offering
  • Selected data analytics system, to improve user experience and user friendliness, as well as improving marketing measures and our services and products offering
  • Selected event management partners, to administer and manage events, including invites and streaming of live and recorded events
  • Our web host, to host our website(s)
  • Legal, technical and business partners, to safeguard our legal interests and to detect and prevent, as well as to stop, fraud and other security and technical issues.

5. Transfers of Your Personal Data Outside the EU/EES

Due to the technically demanding nature of our services, we sometimes partner with other companies to be able to provide you as a customer with state-of-the-art services. Such service providers are sometimes located outside the EU/EES. we have put the following safeguards in place to protect your personal data:

• In case personal data is transferred to the Group company, Truesec Inc., based in the US, there is an Intra-Group Transfer Agreement, including Standard Contractual Clauses and safeguards, in place
• Such safeguards are in the form of
  • defined cybersecurity roles and responsibilities;
  • policies and procedures requiring all users to apply security and privacy principles in their daily work;
  • access control and access authorization control to ensure that access to personal data is only possible after having identified and successfully authenticated the user, including processes and technologies that restrict and control access rights for users and services, allowing only authorized access which is necessary to accomplish assigned tasks in accordance with assigned responsibilities;
  • physical and environmental security to ensure that sufficient controls to protect against physical access of unauthorized people as well as physical and environmental threats are in place;
  • protection of confidentiality and integrity of personal data by utilizing trusted cryptographic technologies for personal data that is transmitted, stored or otherwise processed;
  • operations security processes, including incident management procedures which cover preparation, detection and analysis, containment and recovery of data in case of a personal data breach; monitoring capabilities to establish necessary traceability and allow for forensic analysis; vulnerability management controls to ensure that technical vulnerabilities and malicious activities are identified, tracked and remediated;
  • continuous evaluation of the effectiveness of implemented technical and organizational measures;
  • continuous evaluation of whether personal data should be, and if so, at what stage of the processing it should be, pseudonymized;
  • purpose limitation, data minimization, short retention periods;
  • state-of-the-art encryption protocols with keys stored outside the reach of the receiving party;
  • the request of receiving parties to challenge injunctions and other orders that risk compromising the integrity of the received personal data;
  • as far as is relevant to not store or otherwise in actual form transfer personal data outside the EU/EES but instead provide viewing rights of non-EU/EES entities through the use of remote access tools;
  • the implementation of internal processes and guidelines on the processing of personal data in relation to transfers outside the EU/EES.
• If personal data is transferred to a processor based outside of the EU/EES, such processing is governed by Data Processing Agreements and subject to necessary derogations in accordance with the GDPR art. 49.

6. How Long We Keep Your Personal Data

Your personal data is stored in our CRM tool (HubSpot), invoicing tool (Visma) and data analysis tools (Google Analytics, Google Adwords, Google Search Console, and Hotjar). All your personal data is securely stored using state-of-the-art security measures, such as firewalls, monitoring software and live monitoring by our internal Security Operations Center, encryption protocols, and internal processes and guidelines for the handling and storing of personal data.

We will keep your personal data for the periods specified below:

Category of personal data:	Retention period (from our last interaction related to the particular purpose):
Contact details (name, email, telephone number)	If you: are a customer: 24 months (7 years, if related to statutory obligations under, e.g., the Swedish Bookkeeping Act and the Swedish Income Tax Act) have filled out an online form: 12 months have participated in one of our events: 12 months have subscribed to your newsletter: until you unsubscribe have visited our website(s): 12 months
Company-related information (company registration number, invoicing and payment details, order history, professional title)	If you: are a customer: 24 months (7 years, if related to statutory obligations under, e.g., the Swedish Bookkeeping Act and the Swedish Income Tax Act) have filled out an online form: 12 months have participated in one of our events: 12 months have subscribed to your newsletter: until you unsubscribe have visited our website(s): 12 months
Allergies	7 days after the relevant event has ended

Interest area	If you: are a customer: 24 months have filled out an online form: 12 months have participated in one of our events: 12 months have subscribed to your newsletter: until you unsubscribe have visited our website(s): 12 months
Non-essential cookie-related information (pages that you have visited, time spent on each page, which links you click on, which page you leave when you view a new one and which browser you use)	Please see section 10 below.

7. Your Rights Under the GDPR

Under the GDPR, you have a number of rights in relation to our processing of your personal data. If you want to make use of these rights, or have any other questions regarding your rights as a data subject whose personal data is under our processing, please contact us at our contact details above or send us an email at privacy@truesec.com.

The right to information and Access (Right of Access)

You have the right to request information about our processing of your personal data. Further, you have the right to request to receive copies of the categories of personal data which we process.

The Right to Rectification

You have the right to request that incorrect, inaccurate and incomplete personal data about yourself is rectified. For your information, we will, upon our own initiative, rectify any personal data about you that we discover is incorrect, inaccurate or otherwise incomplete.

The Right to be Forgotten

Under certain conditions, you have the right to request that personal data about you is deleted.

The Right to Restriction of Processing

Under certain conditions, you have the right to request that the processing of your personal data is restricted.

The Right to Object to Processing

Under certain conditions, you have the right to object to our processing of your personal data if such processing is made on the lawful basis of our legitimate interest.

The Right to Data Portability

Under certain conditions, you have the right to request that we transfer the personal data that we have collected about you to another organization, or directly to you, in a structured, commonly used and machine-readable format.

Revoking of Your Consent

You are at any time and free of charge entitled to revoke your consent to the processing of your personal data that is made on the lawful basis of your consent. We will then cease the said processing immediately. Such revoking of your consent can be made by either calling us at +46 (0)8 10 00 10 or by sending us an email at privacy@truesec.se.

8. Your Right to Complain to Integritetsskyddsmyndigheten

You have the right to lodge a complaint with the Supervisory Authorities if you are dissatisfied with the way we process your personal data. You will find the contact information of the Swedish Supervisory Authority here: https://www.imy.se/privatperson/utfora-arenden/lamna-ett-klagomal/.

9. Our Profiling Actions

When you visit our website, become a customer, fill out an online form or subscribe to our newsletter, we will process your personal data. In order to tell us more about our website visitors', customers' and newsletter subscribers' needs habits, to improve user friendliness and usability, better tailor our product, service and event offerings and to provide relevant and helpful content, we process the data listed below through profiling.

• how you use our website(s)
• which of our products, services and other offer that you show an interest in
• which newsletters you have interacted with and events which you have signed up for
• your order history

You can object to our processing of your personal data through profiling at any time and free of charge. Such objection can be made by sending us an email at privacy@truesec.com. As soon as we have received your notification, we will cease to process your personal data through profiling.

10. Cookies

10.1. What Are Cookies?

A cookie is a small text file that a website requests to store on your device or computer in order to recognise you the next time you visit the website. The cookie is used to enhance user experience. Information in the cookie is used to follow a user's browsing activities.

There are two types of cookies:

• Permanent cookies store a file on your device and enable you to use the site and access different features.
• Session cookies are used when you visit a website. A session cookie is sent between your computer and our web server to facilitate navigation. The cookie is erased when you leave the website.

For more information about cookies, please visit the Swedish Post and Telecom Authority website: http://www.pts.se/sv/bransch/regler/lagar/lag-om-elektronisk-kommunikation/kakor-cookies/.

10.2. Our Use of Cookies on Our Website

We use permanent cookies and session cookies on our website in order to:

• Measure and analyze visitor flow and navigation on the website to see what visitors appreciate and how they use our web services
• Allow the system to recognize returning users in order to make the user experience as pleasurable as possible.
• Retain the visitor's choice of text size on the website and automatically fill in different form fields so as to facilitate the accessibility of services for the user and his/her visits to our websites.

If you accept session cookies, you can fully appreciate our website.

If you do not accept any non-essential cookies, you will not be able to fully appreciate our website; you will only be able to read information and view services, see prices and related information.

10.3. Website Analysis Tools

We use Google Analytics to understand how you, the visitor, use our website. The following cookies are created when you visit the website:

Permanent cookies:

• __utma, differentiates between users and sessions/visits. It is updated at
  each pageview and expires two years after it is added or last updated.
• __utmz, measures traffic sources and navigation on the site (such as the search engine used to enter the site). It expires six months after it is added or last updated.

Session cookies:

• __utmb, calculates new sessions/visits. It is updated at each pageview and expires 30 minutes after it is added or last updated.
• __utmc, used with "__utmb" to understand if a new visit is made to the
  website (30 minutes of inactivity is counted as a new visit). It expires when
  the browser is closed.
• __utmt, calculates the site speed and expires 10 minutes after it is set.

Cookie:	Description:	Expires:
_ga	Used by GA to distinguish visitors	2 years
_gid	Used by GA to distinguish visitors	24 hours
_gat	Used by GA to limit the frequency of inquiries	1 minute

The information created by these cookies is used to evaluate visitor statistics in order to improve content, navigation and website structure. Read about Google's privacy policy here: https://www.google.se/intl/sv/policies/privacy/.

10.4. Disable the Storage of Cookies

If you do not want cookies to be stored on your computer, you can turn off the feature in your browser settings. Thus, no cookies will be stored, but note that your personal settings will disappear. Learn how to remove cookies from web browsers: http://www.minacookies.se/ditt-val/.

If you do not want your visits to our website to appear in Google Analytics statistics, you can use an add-on in your browser. See Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout.

10.5. Legal Information

The Electronic Communications Act 2003:389 (Sweden): https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2003389-om-elektronisk-kommunikation_sfs-2003-389