Privacy and Terms

1. Introduction and Who We Are
2. The Personal Data That We Collect About You, Purpose(s) and Lawful Bases
3. The Recipients, or Categories of Recipients, of Your Personal Data
4. Transfers of Your Personal Data Outside the EU/EES
5. How Long We Keep Your Personal Data
6. Your Rights Under the GDPR
7. Your Right to Complain to Integritetsskyddsmyndigheten
8. Personal Data That You May Be Obligated by Law or Contract to Provide
9. Our Automated Decision-Making and Profiling Actions
10. Cookies
11. Terms and Conditions – Truesec Trainings and PAID Events

1. Introduction and Who We Are

Truesec Group (hereinafter jointly, "Truesec", "Group" or "we/us") is a market-leading and highly regarded company that focuses on cybersecurity, secure infrastructure, and secure development. It is our purpose to help our customers within each respective field by providing world-class products and services, and we always let our purpose guide us in our work. For more information about us, please see the “About Truesec” section of our website.

This privacy notice explains how Truesec, in the capacity of data controller, collects, uses, maintains, and discloses the personal data from you if you buy and/or use our products and services, visit our website, fill out one of our online forms, subscribe to our newsletters, and attend any of our events.

If you have any questions, wish to exercise any of your rights under the EU General Data Protection Regulation (EU) 2016/679 (hereinafter, the "GDPR") in relation to our processing of your personal data, or otherwise wish to come into contact with Truesec regarding our processing of your personal data, please also find contact details below.

Name:	Joint Addresses:	Joint Contact Details:
Truesec Group AB (Company Reg. No. 556690-8074)	Oxtorgsgränd 2 SE-111 57 Stockholm	Tel: +46 (0)8 10 00 10 Email: privacy@truesec.com
Truesec AB (Company Reg. No. 556676-3073)
Truesec Detect AB (Company Reg. No. 559121-7046)
Truesec Inspect AB (Company Reg. No. 559148-3788)
Truesec HTI AB (Company Reg. No. 559305-2656)
Truesec Development AB (Company Reg. No. 556919-7311)	Torggatan 4 SE-211 40 Malmö	Tel: +46 (0)8 10 00 10 Email: privacy@truesec.com
Säkerhetskontoret i Sverige AB (Company Reg. No. 556959-1125)	Sandelsgatan 16 SE-115 34 Stockholm	Tel: +46 (0)8 10 00 10 Email: privacy@truesec.com

2. The Personal Data That We Collect About You, Purpose(s), and Lawful Bases

We use, store, and disclose personal data when and to run our website(s), improve user experience and usability of our website(s), process payments, manage and administer our continuous relationship with you and your customer account, on-board you as a customer, provide the products and services that you have bought, provide customer care and support, process agreements, comply with legal obligations, create and share content for our newsletter(s) and events, market and advertise our products, services, and events, protect intellectual property rights, etc. In other words, we process your personal data in order to be able to provide our products, services, and events at the world-class level that our customers, event participants, newsletter subscribers, and website visitors have come to expect and rely on.

In this work, we process personal data that we have either been provided by you or your employer or that we have collected about you ourselves.

2.1 Personal Data Provided by You or Your Employer

When the company that you work for becomes a customer of Truesec, you or your company will typically provide the following data to us:

• Contact information, e.g., email address, telephone number, professional title, and geographic location.
• Identity information, e.g., name, nationality, and/or information regarding language requirements.
• Customer-related information, e.g., invoice details, payment details, order history, and your areas of interest and expertise.

When you subscribe to one of our newsletters, you will typically provide the following data to us:

• Identity information, e.g., name, company, and professional title.
• Contact information, e.g., email address and telephone number.
• Areas of interest and expertise, e.g., offers and events for which you are interested or have signed up.

When you fill out an online form on our website or otherwise upon our request or a third party’s request who is acting on our behalf, you will typically provide the following data to us:

• Identity information, e.g., name, company, and professional title.
• Contact information, e.g., email address and telephone number.
• Areas of interest and expertise, e.g., offers and events for which you are interested or have signed up.

When you sign up to attend one of our online or on-site events, you will typically provide the following data to us:

• Identity information, e.g., name, company, and professional title.
• Contact information, e.g., email address, and telephone number.
• Health information, e.g., allergies.
• Interest areas, e.g., offers and events for which you are interested or have signed up.

2.2 Personal Data Collected About You

Considering the nature of our products and services, offerings, e.g., 24/7 monitoring and detection services, pentesting services, incident response services, and infrastructure services, we will typically collect, view, analyze, and otherwise process the personal data that is stored or otherwise processed in our customers’ IT environments and systems. With this in mind, the following data is such data that we typically have access to at some point when providing our services to your company:

• Information regarding you as an employee that is stored in your company’s IT systems and databases:
  • Contact information, e.g., email address, telephone number, and professional title.
  • Identity information, e.g., name, age, gender, nationality, and/or information regarding language requirements.
  • Information regarding salary and benefits, social security benefits, employment history, and HR cases.
  • Social security number.
  • Health information.
  • Organization memberships, e.g., union memberships.
  • Email correspondence and other communications that are logged or otherwise saved.

When you visit our website, we will typically collect the following data:

• § IP address
• Data regarding your usage of Truesec websites (i.e., cookies), including:
  • Pages that you have visited.
  • Time spent on each page.
  • Which links you click on.
  • Which page you leave when you view a new one.
  • Which browser you use.

When you subscribe to our newsletter and interact with our newsletters as you receive them, we will typically collect the following data:

• Information about how you interact with our newsletter, what deals you are interested in, and what links you click on.

3. How We Use Your Personal Data

3.1 Purposes and Lawful Bases

When your company becomes, or already is, a customer of Truesec, these are the most important purposes for which we process your personal data:

1. To verify your identity and authority to act on behalf of your employer. For this purpose, we process contact and identity information that you or your employer have provided to us.
2. To administrate your employer’s customer relationship with us, including customer care and customer support. For this purpose, we process contact and identity information, invoice and payment details, order details, and order history.
3. In relation to our business operations. For this purpose, we use identity, contact, and customer-related information in connection with offers/tenders, marketing and advertising of our products, services, and events, the development and improvement of our products, services, and events, long-term cooperative projects, when planning, executing and evaluating projects undertaken together with your employer, in relation to necessary legal documents such as NDAs when you may visit our premises as part of a project between your employer and us, as well as in matters related to claims and litigation.
4. Profiling, automated decision-making, and targeted marketing. For this purpose, we process identity and contact information, as well as customer-related information.
5. For bookkeeping and tax purposes. For this purpose, we process invoice and payment details, order details, and order history.

The lawful basis for 1, 2, and 3 above is that it is necessary in order to perform and administer our customer agreement with your employer and perform our legal obligations under, e.g., the Bookkeeping Act and Income Tax Act. Such personal data about you that we have processed during our provision of, e.g., monitoring or incident response services, will never be processed for any of the purposes above or otherwise for any other purpose than providing the contracted services to your employer.

The lawful basis for 2 and 3 above is also that we have a legitimate interest to develop and improve, as well as market and advertise our products, services, and events.

The lawful basis for 4 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

The lawful basis for 5 above is to perform our legal obligations.

If you would like to know more about our profiling measures, please see Section 9 below.

When you subscribe to one of our newsletters, these are the most important purposes for which we process your personal data:

1. To verify your identity. For this purpose, we process the contact and identity information that you have provided to us.
2. In relation to our business operations. For this purpose, we use identity and contact information, as well as information regarding your areas of interest and expertise, in connection with providing the requested newsletter(s) and in connection with the marketing and advertising of our products, services, and events, and the development and improvement of our products, services, and events, as well as performing market analyses, research and market statistics.
3. Profiling, automated decision-making, and targeted marketing. For this purpose, we process identity and contact information, as well as customer-related information.

The lawful basis for 1 and 2 above is our legitimate interest.

The lawful basis for 2 and 3 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about our profiling measures, please see Section 9 below.

When you fill out an online form on our website(s) or sign up for or show interest in an event, these are the most important purposes for which we process your personal data:

1. To verify your identity. For this purpose, we process the contact and identity information that you have provided to us.
2. In relation to our business operations. For this purpose, we use identity and contact information in connection with providing the answer or information requested in the form and in connection with the marketing and advertising of our products, services, and events and the development and improvement of our products, services, and events, as well as performing market analyses, research, and market statistics.
3. Profiling, automated decision-making, and targeted marketing. For this purpose, we process identity, contact information, and customer-related information.

The lawful basis for 1 and 2 above is our legitimate interest.

The lawful basis for 2 and 3 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about our profiling measures, please see Section 9 below.

When you visit our website(s), these are the most important purposes for which we process your personal data:

1. Website performance. For this purpose, we process information from cookies to analyze your behavior on our website(s) and which of our pages, services, products, and events are most interesting to our website visitors.
2. User experience and overall user-friendliness. For this purpose, we process information from cookies to analyze your behavior on our website(s) and which of our pages, services, products, and events are most interesting to our website visitors.

The lawful basis for 1 and 2 above is your consent. Please note that your consent may at any time be revoked by contacting us at privacy@truesec.com.

If you would like to know more about cookies, please see Section 10 below.

3.2 Processing for Marketing Purposes and Sending Out Newsletters

You have the right at any time to stop us from contacting you for marketing purposes and from sending you more newsletters. If you no longer wish to be contacted for marketing purposes or if you wish to unsubscribe from our newsletters, please email us at privacy@truesec.com.

You will also be provided with the opportunity to unsubscribe from our newsletter in each and every newsletter by clicking the "Unsubscribe" button.

3.3 Email Address Management Policy

When you provide us with your email address, we will handle it accordingly:

• Your email address will not be sold, distributed, or otherwise made available to companies outside the Group that are not our direct business partners that need your email address in order for us to provide our products, services, and events or otherwise provide such information that you have requested from us.
• Mailouts are done using technologies that hide your email address from other subscribers.

4. The Recipients, or Categories of Recipients, of Your Personal Data

Sometimes we send your personal data to our partners and service providers (so-called” third parties”). This is only done to the extent necessary for us to improve, update, sell, market, and provide our products, services, and events. Below is a list of categories of such third-party recipients:

• Business partners, to provide state-of-the-art technological and cybersecurity tools and capabilities to customers of our products and services.
• Financial systems, for our invoice and payment administration, as well as to comply with applicable accounting and tax laws.
• Advertising agencies, for the advertising and marketing our services and products.
• Other business-related systems and tools, to manage and collaborate on sales contacts and to manage, plan, and register events.
• Selected web analytics system, to improve user experience and user-friendliness, as well as to improve marketing measures and our services and products offered.
• Selected data analytics system, to improve user experience and user-friendliness, as well as improve marketing measures and our services and products offered.
• Our web host, to host our website(s).
• Legal, technical and business partners, to safeguard our legal interests and to detect and prevent, as well as to stop, fraud and other security and technical issues.

5. Transfers of Your Personal Data Outside the EU/EES

Due to the technically demanding nature of our services, we sometimes partner with other companies to be able to provide you as a customer with state-of-the-art services. Such service providers are sometimes located outside the EU/EES. Our transfer of your personal data in such cases is not based on an adequacy decision by the European Commission. Instead, we have put the following safeguards in place to protect your personal data:

• In case personal data is transferred to the Group company, Truesec Inc., based in the US, there is an Intra-Group Transfer Agreement, including Standard Contractual Clauses and safeguards, in place.
• Such safeguards are in the form of
  • defined cybersecurity roles and responsibilities;
  • policies and procedures requiring all users to apply security and privacy principles in their daily work;
  • access control and access authorization control to ensure that access to personal data is only possible after having identified and successfully authenticated the user, including processes and technologies that restrict and control access rights for users and services, allowing only authorized access which is necessary to accomplish assigned tasks in accordance with assigned responsibilities;
  • physical and environmental security to ensure that sufficient controls to protect against physical access of unauthorized people, as well as physical and environmental threats, are in place;
  • protection of confidentiality and integrity of personal data by utilizing trusted cryptographic technologies for personal data that is transmitted, stored, or otherwise processed;
  • operations security processes, including incident management procedures which cover preparation, detection, and analysis, containment and recovery of data in case of a personal data breach; monitoring capabilities to establish necessary traceability and allow for forensic analysis; vulnerability management controls to ensure that technical vulnerabilities and malicious activities are identified, tracked and remediated;
  • continuous evaluation of the effectiveness of implemented technical and organizational measures;
  • continuous evaluation of whether personal data should be, and if so, at what stage of the processing it should be, pseudonymized;
  • purpose limitation, data minimization, short retention periods;
  • state-of-the-art encryption protocols with keys stored outside the reach of the receiving party;
  • the request of receiving parties to challenge injunctions and other orders that risk compromising the integrity of the received personal data;
  • as far as it is relevant not to store or otherwise in actual form transfer personal data outside the EU/EES but instead provide viewing rights of non-EU/EES entities through the use of remote access tools;
  • the implementation of internal processes and guidelines on the processing of personal data in relation to transfers outside the EU/EES.
• If personal data is transferred to a processor-based outside of the EU/EES, such processing is governed by Data Processing Agreements.

6. How Long We Keep Your Personal Data

Your personal data is stored in our CRM tool (HubSpot), invoicing tool (Visma), and data analysis tools Google Tag Manager, Google Analytics 4, Google Adwords, Google Search Console, Google Data Studio, Leadfeeder, Hotjar, Reddit, Facebook, LinkedIn, and Twitter. We also store your personal data in Teamtailor (Recruitment System), WordPress (CMS), Lyyti (Event Management System), and Socio (Event Management System). All your personal data is securely stored using state-of-the-art security measures, such as firewalls, monitoring software, or live monitoring by our internal Security Operations Center, encryption protocols, and internal processes and guidelines for the handling and storing of personal data.

We will keep your personal data for the periods specified below:

Category of personal data:	Retention period (from our last interaction related to the particular purpose):
Contact details (name, email, telephone number)	If you: are a customer: 24 months (7 years, if related to statutory obligations under, e.g., the Swedish Bookkeeping Act and the Swedish Income Tax Act) have filled out an online form: 24 months have participated in one of our events: 24 months have subscribed to your newsletter: 24 months have visited our website(s): 24 months
Company-related information (company registration number, invoicing and payment details, order history, professional title)	If you: are a customer: 24 months (7 years, if related to statutory obligations under, e.g., the Swedish Bookkeeping Act and the Swedish Income Tax Act) have filled out an online form: 24 months have participated in one of our events: 24 months have subscribed to your newsletter: 24 months have visited our website(s): 24 months
Allergies	7 days after the relevant event has ended
Interest area	If you: are a customer: 24 months have filled out an online form: 24 months have participated in one of our events: 24 months have subscribed to your newsletter: 24 months have visited our website(s): 24 months
Non-essential cookie-related information (pages that you have visited, time spent on each page, which links you click on, which page you leave when you view a new one and which browser you use)	Please see Section 10 below.

7. Your Rights Under the GDPR

Under the GDPR, you have a number of rights in relation to our processing of your personal data. If you want to make use of these rights or have any other questions regarding your rights as a data subject whose personal data is under our processing, please contact us at our contact details above or send us an email at privacy@truesec.com.

• The right to access information (right of access)
  

You have the right to request to receive copies of the categories of personal data which we process. We may charge you a small fee for this service.

• The right to rectification
  

You have the right to request that incorrect, inaccurate, and incomplete personal data about yourself be rectified. For your information, we will, upon our own initiative, rectify any personal data about you that we discover is incorrect, inaccurate, or otherwise incomplete.

• The right to be forgotten
  

Under certain conditions, you have the right to request that personal data about you be deleted.

• The right to restriction of processing

Under certain conditions, you have the right to request that the processing of your personal data be restricted.

• The right to object to processing

Under certain conditions, you have the right to object to our processing of your personal data if such processing is made on the lawful basis of our legitimate interest.

• The right to data portability

Under certain conditions, you have the right to request that we transfer the personal data we have collected about you to another organization or directly to you in a structured, commonly used, and machine-readable format.

• Revoking your consent

You are at any time and free of charge entitled to revoke your consent to the processing of your personal data made on the lawful basis of your consent. We will then cease the said processing immediately. You can revoke your consent by calling us at +46 (0)8 10 00 10 or emailing us at privacy@truesec.com.

8. Your Right to Complain to Integritetsskyddsmyndigheten

You have the right to lodge a complaint with the Supervisory Authorities if you are dissatisfied with how we process your personal data. You will find the contact information of the Swedish Supervisory Authority here: https://www.imy.se/privatperson/utfora-arenden/lamna-ett-klagomal/.

9. Our Automated Decision-Making and Profiling Actions

We will process your personal data when you visit our website, become a customer, fill out an online form, or subscribe to our newsletter. In order to tell us more about our website visitors', customers', and newsletter subscribers' needs and habits, improve user-friendliness and usability, better tailor our product, service, and event offerings, and provide relevant and helpful content, we process the data listed below through profiling:

• how you use our website(s);
• which of our products, services, and other offers that you show an interest in;
• which newsletters you have interacted with and events you have signed up for: and
• your order history.

You can object to our processing of your personal data through profiling at any time and free of charge. Such objection can be made by emailing us at privacy@truesec.com. Once we receive your notification, we will cease to process your personal data through profiling.

10. Cookies

10.1 What Are Cookies?

A cookie is a small text file that a website requests to store on your device or computer in order to recognize you the next time you visit the website. The cookie is used to enhance user experience. Information in the cookie is used to follow a user's browsing activities.

There are two types of cookies:

•  Permanent cookies store a file on your device and enable you to use the site and access different features.
• Session cookies are used when you visit a website. A session cookie is sent between your computer and our web server to facilitate navigation. The cookie is erased when you leave the website.

For more information about cookies, please visit the Swedish Post and Telecom Authority website: http://www.pts.se/sv/bransch/regler/lagar/lag-om-elektronisk-kommunikation/kakor-cookies/.

10.2 Our Use of Cookies on Our Website

We use permanent cookies and session cookies on our website in order to:

• Measure and analyze visitor flow and navigation on the website to see what visitors appreciate and how they use our web services.
• Allow the system to recognize returning users in order to make the user experience as pleasurable as possible.
• Retain the visitor's choice of text size on the website and automatically fill in different form fields to facilitate the accessibility of services for the user and their visits to our websites.

If you accept session cookies, you can fully appreciate our website.

If you do not accept any cookies, you will not be able to appreciate our website fully; you will only be able to read information and view services, see prices, and related information.

10.3 Website Analysis Tools

We use Google Analytics to understand how you, the visitor, use our website. The following cookies are created when you visit the website:

Permanent cookies:

• __utma, differentiates between users and sessions/visits. It is updated at
  each pageview and expires two years after it is added or last updated.
• __utmz, measures traffic sources and navigation on the site (such as the search engine used to enter the site). It expires six months after it is added or last updated.

Session cookies:

• __utmb, calculates new sessions/visits. It is updated at each pageview and expires 30 minutes after it is added or last updated.
• __utmc, used with "__utmb" to understand if a new visit is made to the
  website (30 minutes of inactivity is counted as a new visit). It expires when
  the browser is closed.
• __utmt, calculates the site speed and expires 10 minutes after it is set.

Cookie:	Description:	Expires:
_ga	Used by GA to distinguish visitors	2 years
_gid	Used by GA to distinguish visitors	24 hours
_gat	Used by GA to limit the frequency of inquiries	1 minute

The information created by these cookies is used to evaluate visitor statistics in order to improve content, navigation, and website structure. Read about Google's privacy policy here: https://www.google.se/intl/sv/policies/privacy/.

10.4 Disable the Storage of Cookies

If you do not want cookies to be stored on your computer, you can turn off the feature in your browser settings. Thus, no cookies will be stored, but note that your personal settings will disappear. Learn how to remove cookies from web browsers: http://www.minacookies.se/ditt-val/.

If you do not want your visits to our website to appear in Google Analytics statistics, you can use an add-on in your browser. See Google Analytics Opt-out Browser Add-on: https://tools.google.com/dlpage/gaoptout.

10.5 Legal Information

The Electronic Communications Act 2003:389 (Sweden): https://www.riksdagen.se/sv/dokument-lagar/dokument/svensk-forfattningssamling/lag-2003389-om-elektronisk-kommunikation_sfs-2003-389.

11. Terms and Conditions – Trainings and Paid Events

Cancellation Policy

All enrollments are binding. All training purchases are final and non-refundable, but course enrollment substitutions are acceptable any time up to the course start date.

Course Audit Policy

Students may take the same course already attended at no additional charge any time within six (6) months or at 50% off within 12 months of the original class date, on a space-available basis. Students will use their courseware from their previous class. If the original courseware is revised in the interim, it is the responsibility of the student to purchase any updated material.

Payment Terms

Full payment shall be received within thirty (30) business days of registration submittal and a minimum of five (5) calendar days prior to the course's start date.

Reservation

We reserve the right to cancel any class or event. If a class is canceled, we will contact students by telephone and email to arrange for training credit.

Customer Data

When purchasing a training or an event ticket, you approve that your information is stored using modern information technology and is stored within Truesec so that we can fulfill our obligations.