IstroSec PRIVACY POLICY

Version: 1.0

Effective Date: June 1, 2025

1. Introduction

This Privacy Policy (“Policy”, or “Privacy Policy”) explains how IstroSec (“we,” “us,” or “our”) collects, processes, and protects your personal data. In this Policy, “IstroSec” refers to IstroSec s.r.o., a Slovak company with its registered office at Černyševského 10, 851 01 Bratislava, Slovakia, registered under number ID 53 849 060 (“IstroSec”). If any affiliate of IstroSec is involved in the relevant data processing activities, that respective affiliate may also serve as a controller or joint controller alongside IstroSec.

This Privacy Policy applies only when IstroSec acts as a data controller.

When IstroSec provides services such as Managed Defense (MDR/SOCaaS), Digital Forensics & Incident Response (DFIR), Security Operation Center (SOC) implementation, Threat Hunting, Breach & Attack Simulations, or any similar services, IstroSec acts as a data processor, processing personal data on behalf of its customers.

In such cases, this Policy does not apply. For certain products or services, IstroSec may introduce a separate product-specific privacy policy; in case of any conflict, that product-specific policy takes precedence.

2. Data We Collect and Why We Process It

The purposes for which we process personal data, the types of personal data involved, and the legal basis on which we rely are described in Annex 1

3. Data Retention

IstroSec is committed to retaining personal data only for as long as necessary to fulfil the specific purposes for which it was collected, unless we need to retain data for other valid legal reasons (e.g., compliance with a legal obligation, dispute resolution, or enforcement of agreements). The retention periods indicated below are based on the legal bases specified in Article 6 of the GDPR. For details on the legal bases applicable to each processing purpose, see Section 2 of this Privacy Policy.

  • Legitimate Interest (Article 6(1)(f) GDPR)

    • Retained as long as our legitimate interest applies (e.g., fraud prevention, security). May be kept longer if needed to protect or enforce IstroSec’s rights.

  • Performance of a Contract (Article 6(1)(b) GDPR)

    • Retained for the duration of the contract and as required by law or for dispute resolution. May be extended until claims are resolved or statutory limitation periods expire.

  • Consent (Article 6(1)(a) GDPR)

    • Retained until the purpose is fulfilled or consent is withdrawn, whichever comes first. Deleted or anonymized unless another legal basis (e.g., legal obligation) applies.

  • Legal Obligation (Article 6(1)(c) GDPR)

    • Retained for the period specified by relevant laws (e.g., tax and accounting requirements).

  • Defending Our Rights and Claims

    • Even if a processing purpose ends (e.g., contract completed, consent withdrawn), IstroSec may keep your data if needed to establish, exercise, or defend legal claims, in line with statutory limitation periods. After that, data is deleted or anonymized.

4. Data Sharing, Processors, and Transfers to Third Countries

4. 1 Data Sharing

Your personal data will not be shared with any third party except in the following situations:

  • Data is necessary for the provision of IstroSec’s services;

  • You have given your consent;

  • Personal data is entrusted to processors that process personal data on behalf of IstroSec (under contractual obligations to protect it);

  • IstroSec is legally required to provide the data or is responding to an order by a public authority.

To help customers manage their cybersecurity services, IstroSec may process personal data on behalf of these customers. Any data sharing with third parties, if necessary, is done strictly in accordance with the customer’s instructions, applicable legal requirements, and cybersecurity best practices.

4. 2 Categories of Processors

IstroSec may share your data with the following types of processors (i.e., service providers under contract to process data on IstroSec’s behalf):

  • Data center and hosting providers;

  • Marketing service providers;

  • Analytics and recording solution providers;

  • Poll or survey solution providers;

  • Business management service providers (including providers of business service platforms);

  • Task management and communication service providers;

  • Legal, tax, accounting, and audit service providers;

  • Recruitment and applicant verification providers;

  • Information security providers.

4.3 Transfers to Third Countries

IstroSec will transfer your data to countries outside the EU/European Economic Area (EEA) only in compliance with applicable data protection laws. This means that any such transfer will take place under one of the following conditions:

  • The recipient is located in a country that the European Commission has recognized as providing an adequate level of data protection.

  • The transfer is based on appropriate safeguards, such as:

    • Standard Contractual Clauses (SCCs) adopted by the European Commission;

    • Binding Corporate Rules (BCRs), where applicable;

    • Certification under the EU-U.S. Data Privacy Framework (DPF) for transfers to the United States;

    • Derogations under Article 49 of the GDPR.

Any other legally approved transfer mechanism that ensures compatibility with relevant applicable laws and provides adequate safeguards for data protection.

If necessary, additional technical and organizational measures are applied to ensure that your data remains protected at a level equivalent to the GDPR.

You may request a copy of the relevant safeguards used for international data transfers by emailing board@istrosec.com.

5. Data Security

At IstroSec, we prioritize the security (confidentiality, availability, integrity) of the data we process while delivering our (cybersecurity) services. We implement advanced security measures to protect data from unauthorized access, loss, or misuse.

While we take every precaution to safeguard data, we also emphasize the importance of strong cybersecurity practices for our customers and partners.

We recommend:

  • Implementing strong authentication mechanisms (e.g., multi-factor authentication);

  • Regularly updating security configurations and access controls;

  • Avoiding the sharing of sensitive credentials or access details.

IstroSec will never request sensitive credentials (such as passwords or private keys) via unsolicited emails, phone calls, or messages. If you suspect a security breach, unauthorized access, or a phishing attempt related to our services, please report it immediately to board@istrosec.com.

6. Your Rights

Depending on the jurisdiction applicable to you, you may have certain data protection rights. If you wish to exercise any right described below, please contact us at board@istrosec.com. Note that your ability to exercise these rights may be limited, if IstroSec must retain your data for legal purposes, to defend legal claims, or for other reasons permitted by applicable law.

6. 1 Your Rights Under the GDPR

Right of Access: You can request information about which personal data IstroSec processes about you, for what purposes, and who the recipients of that data are.

Right to Rectification: You can ask us to correct any incomplete, inaccurate, or out-of-date personal data we hold about you.

Right to Erasure (“Right to Be Forgotten”): You can request the deletion of certain personal data we have collected and processed about you.

Right to Restrict Processing: Under specific conditions—such as if you believe we are processing inaccurate personal data or you consider the processing no longer necessary—you may request that we restrict our processing activities.

Right to Data Portability: You can request personal data you have provided to us in a structured, commonly used, and machine-readable format. You also have the right to request the transfer of such data to another controller, where technically feasible.

Right to Object: You can object, at any time and on grounds relating to your particular situation, to the processing of personal data carried out in the public interest or under IstroSec’s legitimate interests (including profiling).

Right to Withdraw Consent: If your data is processed based on consent, you can withdraw that consent at any time. Note that withdrawing consent does not affect the lawfulness of any processing that occurred prior to the withdrawal.

Right to Opt Out: If IstroSec processes your data based on its legitimate interest (for example, certain marketing activities), you can opt out at any time. You may do so by clicking the unsubscribe link in our marketing emails, adjusting your user account settings, or contacting us directly.

Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects on you. Please note that IstroSec does not make such solely automated decisions with significant effects on users.

Right to File a Complaint: If you wish to file a complaint about how IstroSec handles your personal data, you may contact our Data Protection Officer at board@istrosec.com, and we will endeavor to resolve your concern. You also have the right to lodge a complaint with the Slovak supervisory authority (Úrad na ochranu osobných údajov Slovenskej republiky: https://dataprotection.gov.sk) or with the supervisory authority in the location of any IstroSec affiliate involved.

7. Changes to This Privacy Policy and Language Versions

IstroSec may occasionally update or revise this Privacy Policy. Any changes will be announced through an updated version posted on the IstroSec website.

In the event of any inconsistency between a translated version of this Privacy Policy and the English-language version, the Slovak-language version shall prevail and be considered the authoritative text.

8. Contact Details

For more information about IstroSec’s privacy practices or this Privacy Policy, please contact us at:

Email: board@istrosec.com

We appreciate your assistance in keeping your personal data accurate. If you believe that any data we process about you is incorrect, please let us know at board@istrosec.com.