Truesec Group’s Web Privacy Notice

1. Introduction and who we are

Truesec Group (hereinafter jointly, “Truesec“, “Group” or “we/us“) is a market-leading and highly regarded company that focuses on cybersecurity, secure infrastructure, and secure development. It is our purpose to help our customers within each respective field by providing world-class products and services, and we always let our purpose guide us in our work. For more information about us, please see the “Who We Are” section of our website at https://www.truesec.com/who-we-are.

This privacy notice explains how Truesec, in the capacity of data controller, collect, use, maintain, and disclose the personal data from you if the company you work for buys and/or uses our products and services and when you visit our website, fill out one of our online forms, subscribe to our newsletters, attend any of our events, or interact with us on social media. For the purpose of this notice, “Truesec” means the companies set out in the table below.

Name:	Joint addresses:	Joint contact details:
Truesec Group AB (company reg. no. 556690-8074)	Luntmakargatan 18 SE-111 37 Stockholm Sweden	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.com.
Truesec AB (company reg. no. 556676-3073)
Truesec Infrastructure AB (company reg. no. 559048-7079)
Truesec Detect AB (company reg. no. 559121-7046)
Truesec Inspect AB (company reg. no. 559148-3788)
Truesec HTI AB (company reg. no. 559305-2656)
Truesec IoT AB (company reg. no. 559361-8589
Truesec Development AB (company reg. no. 556919-7311)	Torggatan 4 SE-211 40 Malmö Sweden	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.com
Truesec A/S (company reg. no. 42823007)	Glentevej 69, 1st floor 2400 København NV Denmark	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.com
Truesec Oy (company reg. no. 3298888-5)	Keilaniementie 1 FI-02150 Espoo Finland	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.com
Truesec GmbH (company reg. no. HRB 280803)	Rosenheimerstraße 143c DE-81671 Munich Germany	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.com
Truesec Norway AS (company reg. no. 930 577 294)	Truesec Norway AS Postboks 354 SENTRUM 0101 Oslo Norway	Tele: +46 (0)8 10 00 10 Email: privacy@truesec.com

2. The Personal Data That We Process About You

We process your personal data in order to be able to provide our products, services, and events at the world-class level that our customers, event participants, newsletter subscribers and website visitors have come to expect and rely on. We may also process personal data about you if you are an employee of a company that work together with Truesec in the capacity of a partner, supplier, or similar.

In this work, we process personal data that we have either been provided by you or your employer, or that we have collected about you ourselves.

2.1. Personal Data Provided by You or Your Employer

When the company that you work for becomes a customer of (or otherwise work together with) Truesec, you or your company will typically provide the following data to us:

Identity information, e.g., name and/or information regarding language requirements;
Contact information, e.g., email address, telephone number, professional title, and geographic location;
Customer-related information, e.g., invoice details, payment details and order history, as well as your areas of expertise.

When you subscribe to one of our newsletters, you will provide the following data to us:

Identity information, i.e., name, company, and professional title;
Contact information, i.e., email address and telephone number;
Areas of interest and expertise, e.g., offers and events that you are interested in or have signed up for.

When you fill out an online form on our website or otherwise upon our request or a third party’s request who is acting on our behalf, you will provide the following data to us:

Identity information, i.e., name, company, and professional title;
Contact information, i.e., email address and telephone number;
Areas of interest and expertise, i.e., offers and events that you are interested in or have signed up for.

When you sign up to attend one of our online or on-site events, you will provide the following data to us:

Identity information (incl. customer-related information), e.g., name, company, and professional title;
Contact information, e.g., professional email address and telephone number;
Health information, e.g., allergies and dietary restrictions;
Interest areas, e.g., offers and events that you are interested in or have signed up for.

When you interact with us on social media, you will typically provide us with the following data:

Identity information, i.e., name, company, and professional title;
Social media content, i.e. any comments, likes, or other interactions with Truesec’s official accounts on social media (such as LinkedIn, X, and Facebook).

2.2. Personal Data We Collect or Generate About You

Considering the nature of our products and services, offering, e.g., 24/7 monitoring and detection services, pentesting services, incident response services, and infrastructure services, we collect, view, analyze and otherwise process personal data that is stored or otherwise processed in our customers’ or partners’ IT environments and systems.

We may collect or generate all or some of the following information about you during the course of your employer’s relationship with us or when you otherwise interact with us, use our website, or fill out our forms:

When your company works with us (as a customer or partner), we will collect the following data regarding you as an employee:

Contact information, e.g., email address, telephone number, and professional title;
Identity information, e.g., name, age, gender, nationality, and/or information regarding language requirements;
Other identifying information, e.g., IP address, MAC address and endpoint identity;
Email correspondence and other communications, that we receive and/or send.

When you visit our website, we will collect the following data:

IP address;
Data regarding your usage of Truesec websites (i.e. cookies), see “Cookie declaration”.

When you interact with our newsletters as you receive them, we will typically collect the following data:

Information about how you interact with our newsletter, what deals you are interested in, and what links you click on.

When you attend an event, we will typically collect the following data:

Attendance information, e.g., name and scope of the event(s) that you have attended;
Information about how you interact with us or other attendees, e.g., if you ask specific questions or show an interest for specific topics, products, or services.

3. How We Use Your Personal Data

3.1. Purposes and Lawful Bases

3.1.1 Working with Truesec

When your company becomes, or already is, a customer or partner of (or otherwise work together with) Truesec, these are the purposes for which we process your personal data:

To verify your identity and authority to act on behalf of your employer. For this purpose, we process contact and identity information that you or your employer have provided to us.
To administrate your employer’s customer relationship with us, including customer care and customer support. For this purpose, we process contact and identity information, invoice and payment details, order details and order history.
In relation to our business operations. For this purpose, we use identity, contact and customer-related information in connection with offers/tenders, marketing and advertising of our products, services and events, the development and improvement of our products, services and events, including other products, services and events than those purchased by our customer, long-term cooperative projects, when planning, executing and evaluating projects undertaken together with your employer, in relation to necessary legal documents such as NDAs when you may visit our premises as part of a project between us and your employer, as well as in matters related to claims and litigation.
Profiling and targeted marketing. For this purpose, we process identity and contact information, information about how you have interacted with previous marketing emails and how you have interacted with our website (including visited pages and clicked links), as well as customer-related information.
For bookkeeping and tax purposes. For this purpose, we process invoice and payment details, order details and order history.
To communicate with you. For this purpose, we process identity information, contact information, email correspondence and other communications, as well as social media interactions.

The lawful basis for purpose 1 above is that Truesec has a legitimate interest to verify your authority to act on behalf of your employer.

The lawful bases for 2 and 3 above is also that we have a legitimate interest to develop and improve, as well as market and advertise, our products, services, and events.

The lawful basis for 4 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

The lawful basis for 5 above is to perform our legal obligations.

The lawful basis for 6 is our legitimate interest of interacting with you in your role as an employee of our customers, potential customers, partners, or suppliers, as well as on social media.

If you would like to know more about our profiling measures, please see section 9 below.

3.1.2. Newsletter Subscriptions

When you subscribe to one of our newsletters, these are the purposes for which we process your personal data:

To verify your identity. For this purpose, we process contact and identity information that you have provided to us.
In relation to our business operations. For this purpose, we use contact information, as well as information regarding your areas of interest and expertise, in connection with providing the requested newsletter(s), and in connection with marketing and advertising of our products, services and events and the development and improving of our products, services and events, as well as performing market analyses, research and market statistics.
Profiling, automated decision-making and targeted marketing. For this purpose, we process identity and contact information, as well as customer-related information.

The lawful basis for 1 and 2 above is to fulfil our contractual obligation to you.

The lawful basis for 3 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about our profiling measures, please see section 9 below.

3.1.3. Online Forms

When you fill out an online form on our website(s), or sign up for or show interest in an event or training, these are the purposes for which we process your personal data:

To verify your identity. For this purpose, we process contact and identity information that you have provided to us.
In relation to our business operations. For this purpose, we use identity and contact information in connection with providing the answer or information requested in the form, and in connection with marketing and advertising of our products, services and events and the development and improving of our products, services, and events, as well as performing market analyses, research, and market statistics.
Profiling, automated decision-making and targeted marketing. For this purpose, we process identity and contact information, as well as customer-related information.

The lawful basis for 1 and 2 above is to fulfil our contractual obligation to you.

The lawful basis for 3 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about our profiling measures, please see section 9 below.

3.1.4. Events

When you sign up for and attend one of our events, these are the purposes for which we process your personal data:

To verify your identity. For this purpose, we process contact and identity information that you have provided to us.
In relation to our business operations. For this purpose, we use identity information, contact information, areas of interest, and customer-related information, in connection with fulfilling our obligations as agreed when you sign up for our events.
In relation to administration of and producing an event. For this purpose, we use identity and contact information, health information, and customer-related information in order to ensure we are able to produce and provide the events which you have signed up to attend.
In relation to marketing of, development of, and following-up on services. For this purpose, we use identity and contact information, customer-related information, and information about your interest areas and attended events.

The lawful basis for 1 and 2 above is to fulfil our contractual obligation to you.

The lawful basis for 3 is our legitimate interest in conducting successful and valuable events.

The lawful basis for 4 is our legitimate interest in collecting information about past events (reviews, comments, and other feedback), sending you information and marketing materials about other, similar events, as well as products and services that align with your interest areas and such events that you have attended. For 4, we may also share your data with our partners, and other hosts of events that you have attended, for these same purposes.

3.1.5. Website Visits

When you visit our website(s), these are the purposes for which we process your personal data:

Website performance. For this purpose, we process information from cookies to analyze your behavior on our website(s) and which of our pages, services, products, and events that are most interesting to our website visitors.
User experience and overall user friendliness. For this purpose, we process information from cookies to analyze your behavior on our website(s) and which of our pages, services, products, and events that are most interesting to our website visitors.

The lawful bases for 1 and 2 above is our legitimate interest of having a functioning website (essential cookies) and your consent (non-essential cookies). See further details in the “Cookie declaration” hereinunder. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about cookies, please see section 9 below.

3.1.6. Social Media Interactions

When you interact with us on social media we process your personal data for the purpose of:

Interacting with you. For this purpose, we process identity information and social media content.

The lawful basis for 1 is our legitimate interest to interact with customers, potential customers, potential future employees, and other interested persons.

3.2. Processing for marketing purposes and sending out newsletters

You have the right at any time to stop us from contacting you for marketing purposes and from sending you more newsletters. If you no longer wish to be contacted for marketing purposes or if you wish to unsubscribe from our newsletters, please email us at privacy@truesec.com.

You will also be provided with the opportunity to unsubscribe from our newsletter in each and every newsletter, by clicking the “Unsubscribe”-button.

3.3. Email address management policy

When you provide us with your email address, we will handle it accordingly:

Your email address will not be sold, distributed, or otherwise made available to companies outside the Group that are not our direct business partners that need your email address in order for us to provide our products, services, and/or events, or otherwise provide such information that you have requested from us.
Mailouts are done using technologies that hide your email address from other subscribers.

4. The recipients, or categories of recipients, of your personal data

Sometimes we send your personal data to our partners and service providers (so called “third parties”). This is only done to the extent necessary for us to improve, update, sell, market, provide, and follow-up on our products, services and events, and to collaborate with partners before and after events. Below is a list of categories of such third-party recipients:

Business partners, to provide state-of-the-art technological and cybersecurity tools and capabilities to customers of our products and services, to host and develop, provide, and follow-up on events, to market products, services, and events;
Financial systems, for our invoice and payment administration as well as to comply with applicable accounting and tax laws;
Advertising agencies, for the advertising and marketing of our products, services, and events;
Other business-related systems and tools, to communicate with you, manage sales contacts and to manage, plan, register, and follow-up on events;
Selected web analytics system, to improve user experience and user friendliness, as well as improving marketing measures and our products, services, and event offerings;
Selected data analytics system, to improve user experience and user friendliness, as well as improving marketing measures and our services and products offering
Selected event management partners, to administer and manage events, including invites and streaming of live and recorded events, marketing of events, marketing of related products and services, and following-up on events;
Our web host, to host our website(s);
Legal, technical, and business partners, to safeguard our legal interests and to detect and prevent, as well as to stop, fraud and other security and technical issues.

5. Transfers of your personal data outside the EU/EEA

Due to the technically demanding nature of our services, we sometimes partner with other companies to be able to provide you as a customer with state-of-the-art services. Such service providers are sometimes located outside the EU/EEA. we have put the following safeguards in place to protect your personal data:

In case personal data is transferred to the Group company, Truesec Inc., based in the US, there is an Intra-Group Transfer Agreement, including Standard Contractual Clauses and safeguards, in place.
Such safeguards are in the form of
defined cybersecurity roles and responsibilities;
policies and procedures requiring all users to apply security and privacy principles in their daily work;
access control and access authorization control to ensure that access to personal data is only possible after having identified and successfully authenticated the user, including processes and technologies that restrict and control access rights for users and services, allowing only authorized access which is necessary to accomplish assigned tasks in accordance with assigned responsibilities;
physical and environmental security to ensure that sufficient controls to protect against physical access of unauthorized people as well as physical and environmental threats are in place;
protection of confidentiality and integrity of personal data by utilizing trusted cryptographic technologies for personal data that is transmitted, stored or otherwise processed;
operations security processes, including incident management procedures which cover preparation, detection and analysis, containment and recovery of data in case of a personal data breach; monitoring capabilities to establish necessary traceability and allow for forensic analysis; vulnerability management controls to ensure that technical vulnerabilities and malicious activities are identified, tracked and remediated;
continuous evaluation of the effectiveness of implemented technical and organizational measures;
continuous evaluation of whether personal data should be, and if so, at what stage of the processing it should be, pseudonymized;
purpose limitation, data minimization, short retention periods;
state-of-the-art encryption protocols with keys stored outside the reach of the receiving party;
the request of receiving parties to challenge injunctions and other orders that risk compromising the integrity of the received personal data;
as far as is relevant to not store or otherwise in actual form transfer personal data outside the EU/EEA but instead provide viewing rights of non-EU/EEA entities through the use of remote access tools;
the implementation of internal processes and guidelines on the processing of personal data in relation to transfers outside the EU/EEA.

If personal data is transferred to a processor based outside of the EU/EEA, such processing is additionally governed by Data Processing Agreements and subject to necessary derogations in accordance with the GDPR art. 49.

6. How long we keep your personal data

When handling your personal data, we use state-of-the-art security measures, such as firewalls, monitoring software and live monitoring by our internal Security Operations Center, encryption protocols, and internal processes and guidelines for the handling and storing of personal data.

We will keep your personal data for the periods specified below:

Category of personal data:	Retention period (from our last interaction related to the particular purpose):
Identity information (name) Contact details (email, telephone number)	If you: are a customer: 24 months (7 years, if related to statutory obligations under, e.g., the Swedish Bookkeeping Act and the Swedish Income Tax Act) have filled out an online form: 12 months have participated in one of our events: 12 months have subscribed to your newsletter: until you unsubscribe have visited our website(s): 12 months
Customer-related information (company registration number, invoicing and payment details, order history, professional title)	If you: are a customer: 24 months (7 years, if related to statutory obligations under, e.g., the Swedish Bookkeeping Act and the Swedish Income Tax Act) have filled out an online form: 12 months have participated in one of our events: 12 months have subscribed to your newsletter: until you unsubscribe have visited our website(s): 12 months
Health information (allergies, dietary restrictions)	7 days after the relevant event has ended

Areas of interest and expertise	If you: are a customer: 24 months have filled out an online form: 12 months have participated in one of our events: 12 months have subscribed to your newsletter: until you unsubscribe have visited our website(s): 12 months
Cookie-related information and IP address	Please see “Cookie declaration”
Information regarding how you interact with our newsletter	Until you unsubscribe from our newsletter

7. Your rights under the GDPR

Under the GDPR, you have a number of rights in relation to our processing of your personal data. If you want to make use of these rights, or have any other questions regarding your rights as a data subject whose personal data is under our processing, please contact us at our contact details above or send us an email at privacy@truesec.com.

The right to Information and Access (Right of Access)

You have the right to request information about our processing of your personal data. Further, you have the right to request to receive copies of the categories of personal data which we process.

The Right to Rectification

You have the right to request that incorrect, inaccurate and incomplete personal data about yourself is rectified. For your information, we will, upon our own initiative, rectify any personal data about you that we discover is incorrect, inaccurate or otherwise incomplete.

The Right to be Forgotten

Under certain conditions, you have the right to request that personal data about you is deleted.

The Right to Restriction of Processing

Under certain conditions, you have the right to request that the processing of your personal data is restricted.

The Right to Object to Processing

Under certain conditions, you have the right to object to our processing of your personal data if such processing is made on the lawful basis of our legitimate interest.

The Right to Data Portability

Under certain conditions, you have the right to request that we transfer the personal data that we have collected about you to another organization, or directly to you, in a structured, commonly used and machine-readable format.

Revoking of Your Consent

You are at any time and free of charge entitled to revoke your consent to the processing of your personal data that is made on the lawful basis of your consent. We will then cease the said processing immediately. Such revoking of your consent can be made by either calling us at +46 (0)8 10 00 10 or by sending us an email at privacy@truesec.se.

Your right to complain to a Supervisory Authority

You have the right to lodge a complaint with the Supervisory Authorities if you are dissatisfied with the way we process your personal data. You will find the contact information of the Supervisory Authorities in the respective EU/EEA member states here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

8. Our Profiling Actions

When you visit our website, become a customer, fill out an online form, or subscribe to our newsletter, we will process your personal data. In order to tell us more about our website visitors’, customers’ and newsletter subscribers’ needs habits, to improve user friendliness and usability, better tailor our product, service and event offerings and to provide relevant and helpful content, we process the data listed below through profiling:

How you use our website(s);
Which of our products, services, and other offer that you show an interest in;
Which newsletters you have interacted with and events which you have signed up for;
Your order history.

You can object to our processing of your personal data through profiling at any time and free of charge. Such objection can be made by sending us an email at privacy@truesec.com. As soon as we have received your notification, we will cease to process your personal data through profiling.

9. Cookies

9.1 What are cookies?

A cookie is a small text file that a website requests to store on your device or computer in order to recognise you the next time you visit the website. The cookie is used to enhance user experience. Information in the cookie is used to follow a user’s browsing activities.

There are two types of cookies:

Permanent cookies store a file on your device and enable you to use the site and access different features.
Session cookies are used when you visit a website. A session cookie is sent between your computer and our web server to facilitate navigation. The cookie is erased when you leave the website.

For more information about cookies, please visit the Swedish Post and Telecom Authority website: http://www.pts.se/sv/bransch/regler/lagar/lag-om-elektronisk-kommunikation/kakor-cookies/.

9.2 Our use of cookies on our website

We use permanent cookies and session cookies on our website in order to:

Measure and analyze visitor flow and navigation on the website to see what visitors appreciate and how they use our web services
Allow the system to recognize returning users in order to make the user experience as pleasurable as possible.
Retain the visitor’s choice of text size on the website and automatically fill in different form fields so as to facilitate the accessibility of services for the user and his/her visits to our websites.

If you accept session cookies, you can fully appreciate our website.

If you do not accept any non-essential cookies, you will not be able to fully appreciate our website; you will only be able to read information and view services, see prices and related information.

9.3 Website Analysis Tools

We use Google Analytics to understand how you, the visitor, use our website. The following cookies are created when you visit the website:

Permanent cookies:

__utma, differentiates between users and sessions/visits. It is updated at
each pageview and expires two years after it is added or last updated.
__utmz, measures traffic sources and navigation on the site (such as the search engine used to enter the site). It expires six months after it is added or last updated.

Session cookies:

__utmb, calculates new sessions/visits. It is updated at each pageview and expires 30 minutes after it is added or last updated.
__utmc, used with “__utmb” to understand if a new visit is made to the
website (30 minutes of inactivity is counted as a new visit). It expires when
the browser is closed.
__utmt, calculates the site speed and expires 10 minutes after it is set.

Cookie:	Description:	Expires:
_ga	Used by GA to distinguish visitors	2 years
_gid	Used by GA to distinguish visitors	24 hours
_gat	Used by GA to limit the frequency of inquiries	1 minute

The information created by these cookies is used to evaluate visitor statistics in order to improve content, navigation and website structure. Read about Google’s privacy policy here: https://www.google.se/i ntl/sv/policies/privacy/.

9.4 Disable the Storage of Cookies

If you do not want cookies to be stored on your computer, you can turn off the feature in your browser settings. Thus, no cookies will be stored, but note that your personal settings will disappear. Learn how to remove cookies from web browsers: http://www.minacookies.se/ditt-val/.

If you do not want your visits to our website to appear in Google Analytics statistics, you can use an add-on in your browser. See Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout.

9.5 Legal Information

The Electronic Communications Act 2003:389 (Sweden): https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssa mling/lag-2003389-om-elektronisk-kommunikation_sfs-2003-389