01 Introduction

iSECTECH (“iSECTECH,” “we,” “us,” or “our”) is a cybersecurity firm specializing in penetration testing, vulnerability assessment, red teaming, security auditing, incident response, managed security services (MSSP/SOC), governance, risk and compliance (GRC) advisory, digital forensics, online reputation and privacy services, and security awareness training.

Because our work routinely involves access to highly sensitive client environments and personal data, we hold ourselves to a privacy and security standard that meets or exceeds applicable laws and recognized industry frameworks, including ISO/IEC 27001, ISO/IEC 27701, SOC 2, NIST CSF, NIST 800-53, PCI-DSS, and the OWASP Application Security Verification Standard.

This Policy explains how we collect, use, disclose, retain, and protect personal information in connection with our website, professional services, customer/partner portals, and marketing and recruitment activities — and the rights you have over your data.

02 Who We Are / Data Controller

For the purposes of applicable data protection laws, the controller of your personal information is:

EU/UK Representative available on request via [email protected].

When we deliver services to clients (e.g., during a penetration test, red team engagement, or managed security service), iSECTECH typically acts as a data processor or sub-processor, with the client remaining the controller. In those cases, our processing is governed by the executed Data Processing Agreement (DPA), which incorporates Standard Contractual Clauses where required.

03 Scope of This Policy

This Policy applies to personal information we process about visitors to our website; prospective, current, and former clients and their authorized users; partners, vendors, and sub-processors; job applicants and personnel; subscribers to our newsletters, advisories, and threat intelligence feeds; and individuals who interact with us on social media or at events.

This Policy does not apply to (a) anonymous or aggregated data that cannot reasonably be linked to an identified person, (b) data processed strictly under a client DPA where the client is the controller, or (c) third-party websites linked from our site, which have their own privacy policies.

04 Categories of Personal Information We Collect

We collect only what we need to deliver our services, comply with the law, and run our business responsibly. Categories include:

• Identification & contact data: name, business email, phone number, employer, job title, postal address.
• Account & portal data: username, hashed password, MFA identifiers, role/permissions, login timestamps, device fingerprint.
• Engagement data: SOWs, rules of engagement (ROE), in-scope assets (IPs, domains, applications), test windows, testing credentials provisioned by the client, related communications.
• Technical & log data: IP address, user agent, referrer, pages viewed, timestamps, security event logs, intrusion detection records.
• Vulnerability & finding data: identified weaknesses, proof-of-concept artifacts, redacted screenshots, and remediation guidance produced during assessments — treated as highly confidential.
• Billing & commercial data: billing contact, purchase orders, invoices, tax identifiers. We do not store full payment card numbers; card payments are processed by PCI-DSS certified providers.
• Recruitment data: CV/resume, cover letter, references, work eligibility, interview notes, and (where lawful) background-check results.
• Marketing data: subscription preferences, content engagement, event attendance.
• Communications data: emails, support tickets, chat transcripts, call records (where lawfully recorded with notice).
• Cookies & similar technologies: see Section 12.

05 Sources of Personal Information

• Directly from you: when you fill out a form, request a quote, sign a contract, attend an event, or apply for a role.
• From your employer or organization: when they engage us or designate you as a point of contact.
• Automatically: via cookies, server logs, and analytics when you visit our website or use our portals.
• From third parties: sanctions/AML screening providers, background-check vendors (with consent), publicly available business information, threat intelligence partners, and referrals.

06 Purposes & Legal Bases for Processing

Under the GDPR/UK GDPR and similar laws, we rely on the following legal bases:

• Performance of a contract — to deliver the cybersecurity services you have engaged us to provide, manage your account, and issue invoices.
• Legitimate interests — to secure our infrastructure, prevent fraud and abuse, conduct B2B marketing to professional contacts, improve our services, and pursue or defend legal claims, balanced against your rights and freedoms.
• Compliance with a legal obligation — tax, accounting, anti-money-laundering, export-control, and lawful-disclosure requirements.
• Consent — for non-essential cookies, electronic marketing where required, and any optional processing. Withdrawable at any time.
• Vital / public interest — in rare cases such as responding to a security incident affecting many individuals.

07 How We Share Personal Information

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We disclose personal information only as follows:

• Service providers and sub-processors bound by written contracts and confidentiality obligations: cloud infrastructure (AWS, Microsoft Azure, Google Cloud), email and productivity suites, ticketing/CRM, secure code repositories, vulnerability management platforms, e-signature providers, analytics, and payment processors. A current list of material sub-processors is available on request to clients under NDA.
• Professional advisors — auditors, lawyers, insurers, accountants — under duties of confidentiality.
• Authorities — when legally required, in response to valid legal process, or to protect rights, property, or safety. We challenge overbroad requests where appropriate.
• Corporate transactions — in connection with a merger, acquisition, financing, or asset sale, subject to confidentiality and continuity of protections.
• With your direction or consent — for example, when you ask us to share a report with a third party.

08 International Data Transfers

iSECTECH is headquartered in the United States and may process personal information in the U.S. and other countries where we or our sub-processors operate. When we transfer personal data from the EEA, the United Kingdom, or Switzerland to a country not deemed adequate, we implement appropriate safeguards, including the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, and supplementary technical and organizational measures (encryption in transit and at rest, access minimization, and transfer impact assessments) consistent with the Schrems II ruling.

09 Data Retention

We keep personal information only for as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

When data is no longer needed, we securely delete or irreversibly anonymize it in accordance with NIST SP 800-88 media sanitization guidance.

10 How We Protect Your Information

Security is our profession. Our information security program is aligned with ISO/IEC 27001 and SOC 2 Trust Services Criteria, and includes:

• Encryption in transit (TLS 1.2+) and at rest (AES-256).
• Strict role-based access control, least-privilege provisioning, and mandatory MFA for all employees.
• Hardened, patched, and continuously monitored production environments with EDR, SIEM, and 24/7 alerting.
• Segmented engagement environments and per-client encrypted vaults for findings and artifacts.
• Background checks, confidentiality agreements, and ongoing security training for all personnel.
• Independent third-party assessments, internal red-team exercises, and a documented Secure SDLC.
• A formal Incident Response Plan with defined roles, runbooks, and tabletop testing.
• Vendor risk management with security and privacy due diligence prior to onboarding.
• Coordinated vulnerability disclosure: please report security issues to [email protected] (PGP key on request).

11 Your Privacy Rights

Subject to applicable law and verification of your identity, you have the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Delete personal information, subject to legal retention obligations.
• Port your data in a structured, commonly used, machine-readable format.
• Restrict or object to certain processing, including direct marketing.
• Withdraw consent where processing is based on consent.
• Opt out of “sale” or “sharing” of personal information and of targeted advertising (we do not engage in these activities, but the right is preserved).
• Limit use of sensitive personal information as defined under the CPRA.
• Non-discrimination for exercising your privacy rights.
• Lodge a complaint with a supervisory authority — for EU residents, your local Data Protection Authority; for UK residents, the ICO; for California residents, the California Privacy Protection Agency.

To exercise any of these rights, email [email protected] or write to us at the postal address above. You may use an authorized agent where the law permits, with appropriate written authorization. We will respond within the timelines required by applicable law (generally 30 days under GDPR; 45 days under CCPA/CPRA, extendable as permitted).

12 Cookies & Similar Technologies

We use cookies and similar technologies to operate and secure our website, remember preferences, measure performance, and (with your consent) personalize content.

• Strictly necessary — required for the site to function and stay secure (session, CSRF, load balancing). Cannot be disabled.
• Functional — remember your preferences (e.g., language).
• Analytics — help us understand how the site is used, in aggregate.
• Marketing — used only with your consent.

Where required, we display a consent banner and honor Global Privacy Control (GPC) signals. You can manage cookies through your browser settings or our cookie preferences link in the footer. Specific cookies set by our site include WordPress comment cookies (one year, only if you leave a comment), login cookies (2 days, or 14 days with “Remember Me”), and editor cookies for site administrators (one day).

13 Embedded Content from Other Websites

Articles on this site may include embedded content (e.g., videos, images). Embedded content from other websites behaves as if you visited that website and may collect data, use cookies, embed third-party tracking, and monitor your interaction with that content, especially if you have an account and are logged in to that site.

14 Comments, Media & Communications

When visitors leave comments on the site, we collect the data shown in the comments form, the visitor’s IP address, and browser user-agent string to assist with spam detection. An anonymized hash of your email may be sent to the Gravatar service to check whether you are using it (Gravatar privacy policy). When you upload images, please avoid uploading images with embedded location data (EXIF GPS), as visitors can extract such data.

15 SMS / Text Message Policy

We may send text messages with service updates, security alerts, or — with your express opt-in — promotional content. You can opt out at any time by replying STOP to any message or emailing [email protected]. Standard message and data rates may apply. We do not share your phone number with third parties for their own marketing.

16 Recruitment & Applicants

If you apply for a role, we process your application data to evaluate your candidacy and, where lawful and necessary, to perform background or reference checks. We treat application data confidentially and retain it only for as long as necessary. Equal-opportunity data, where collected, is voluntary and processed only in aggregate.

17 Children’s Privacy

Our services are intended for businesses and adults. We do not knowingly collect personal information from children under 16 (or the equivalent age under applicable law). If you believe a child has provided us with personal information, please contact [email protected] and we will delete it promptly.

18 Data Breach Notification

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware, in accordance with Article 33 GDPR and applicable U.S. state breach-notification statutes. Where required, we will also notify affected individuals and, for engagements where iSECTECH acts as processor, the relevant client controller without undue delay.

19 Third-Party Links

Our site may contain links to third-party sites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

20 Changes to This Privacy Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will revise the “Last Updated” date and, where appropriate, provide a more prominent notice (such as via email or an on-site banner). We encourage you to review this Policy periodically.

21 Contact Us

For any questions, requests, or complaints relating to this Privacy Policy or our handling of your personal information, please reach out: