Responsibilities and definitions
Controller – the company using the Cyberon Centry to protect their infrastructure is responsible for the processing of data, including personal data. This will normally be the customer/the employer. Processor – Cyberon Security processes the data on behalf of the controller and is responsible for implementing appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the General Data Protection Regulation and ensure the protection of the rights of the data subject. The data subject – the directly or indirectly identifiable person whose data are being collected, stored or other wised processed. This will normally be the employee or other persons using the customers infrastructure. Processing – any operation or set of operations which is performed on personal data or on sets of personal data. Personal data – any information relating to an identified or identifiable natural person (the data subject).
Purpose of processing
Cyberon Centry is used to secure the processing of information in the controller’s infrastructure including the endpoints/personal computers when applicable. Cyberon Centry monitors network traffic and events including processes, data access, system usage and application logs. It also retrieves logs from equipment or services such as firewalls, servers, antivirus solutions, e-mail protection and cloud services (Office 365) and endpoints depending on the implementation of the service. The service detects and reports events related to the potential threats as known vulnerabilities, malicious code, infected web pages, malicious applications, vulnerable services, attempted attacks as well as other events related to the confidentiality, integrity and availability related to the controller’s business, their infrastructure and applications and their employees.
Lawfulness of processing
The controller have a legitimate interest of processing according to GDPR Article 6.1 (f). Other legitimate ground for processing might apply depending on the individual controller. Cyberon Security’s processing is based on the Data Protection Agreement directly with the controller or indirectly via their suppliers or vendors. The purpose of processing is not to process special categories of personal data. Should the processing include special categories of personal data the processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller according to The General Data Protection Regulation Article 9.2 (b). The types of personal data processed by Cyberon Centry:
- Anomalies in infrastructure, data in rest or data in traffic
- Internal or external activities related to potential threats
- Detection, prevention and investigation of security breaches
- Applications, inventory and other security data connected to endpoints.
Information relating to anomalies, potential threats and security breaches may be related to username, computer name, IP, e-mail address (sender, recipient), e-mail subject, or other digital identifier.
Processing, reporting and sharing of data
The data collected by Cyberon Centry is stored, structured and made available to the controller by Cyberon Security. All reporting is conducted in such a way that the identity of the data subject is not revealed, with exception of any legal order or: a) When necessary to maintain the day-to-day operations or other legitimate interests of the controller. b) Due to the legitimate suspicion that the data subject’s use of the infrastructure entails a gross violation of the subject’s duties and obligations or may provide a basis for termination of contract or dismissal. In such cases the controller is responsible to inform the data subject. Beyond this, personal data or data related to the controller, are not shared with other parties or individuals. Anonymised data, data that cannot be related to an individual, can be used by Cyberon Security for research and development internally or in cooperation with 3. party.
Data is transmitted and stored encrypted (TLS and Dm-crypt) and is subject to monitoring for three months. Then the data will be taken offline and stored securely on Cyberon’s servers. The servers handle data behind three security zones. The access control enables only authorised persons to access the data. All treatment is subject to confidentiality. Data are stored on Cyberon’s servers in Norway. Personal data not related to special events, are anonymised after 12 months. Upon termination of agreement all data that may be linked to the data subject will be anonymised or deleted in accordance with the agreement with the controller.
Rights of the data subject
The data subject has the right to:
- request access to their personal data
- rectification or erasure of personal data or restriction of processing
- object to processing as well as the right to data portability
- lodge a complaint with a supervisory authority – The Norwegian Data Protection Authority
For more information see Article 15 – 21 in the General Date Protection Regulation for information about access, rectification, erasure, restriction and data portability. Please contact your employer or us for any requests regarding your rights.
Cyberon Security AS Drammensveien 167 0277 OSLO, Norway Erlend Udnesseter email@example.com