cyan Security Group GmbH

Thank you very much for your interest in cyan (“we”, “us”, “company”). cyan AG and its subsidiaries (collectively referred to as “cyan”, “we”) endeavour to provide the most comprehensive protection possible for all website visitors (“Users”) in order to have a positive effect on the use of https://www.cyansecurity.com/ and https://ir.cyansecurity.com/ (“Website”) and the use of our products. By means of this privacy policy we would like to inform every user about the type, scope and purpose of the personal data that we collect, use and process. This privacy policy is also intended to inform users of their rights.

1. Definitions

Among other things, we use the following terms in this privacy policy and on our website:

a) Personal data
Personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

b) Person concerned
Data subject means any identified or identifiable natural person whose personal data is processed by the controller.

c) Processing
Processing is any operation or set of operations, performed with or without the aid of automated means, concerning personal data, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, deletion or destruction.

d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of restricting the future processing.

e) Profiling
Profiling is any automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, particularly for the purpose of analyzing or predicting aspects relating to the job performance, economic situation, health, personal preferences, interests, reliability, conduct, whereabouts or change of location of that natural person.

f) Anonymization
Anonymization is the processing of personal data in such a way that the personal data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is kept separate and subjected to technical and organizational measures that ensure that the personal data is not assigned to an identified or identifiable natural person.

g) Controller or data controller
The controller or data controller is the natural or legal person, public authority, agency or other body which alone or together with others determines the purposes and means of the processing of personal data. If the purposes and means of such processing are determined by Union law or by the law of the Member States, the controller or the specific criteria for its designation may be provided for by Union law or by the law of the Member States.

h) Contract processors
The processor is a natural or legal person, public authority, agency or other body responsible for processing personal data on behalf of the controller.

i) Recipient
The recipient is a natural or legal person, authority, institution or other body to whom personal data is disclosed, regardless of whether it is a third party. However, public authorities which may receive personal data during the course of a specific investigation mandate under Union or national law shall not be regarded as recipients.

j) Third party
A third party is a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor and the persons who are authorized to process the personal data under the direct authority of the controller or the processor.

k) Consent
Consent is any freely given, informed and unequivocal expression of the data subject’s will in a specific case, in the form of a declaration or other unequivocal affirmative act by which the data subject signifies his or her consent to the processing of personal data relating to him or her.

2. Name and address of the controller

The responsible processor in connection with this website is cyan Security Group GmbH. If you have any questions or wish to assert the rights of data subjects, please contact:

cyan Security Group GmbH

ICON Tower 24, 16th floor

Wiedner Gürtel 13, 1100 Vienna, Austria

e-mail:

Website: www.cyansecurity.com

3. Collection of data

When you visit our website or use our products or services, data may be collected, which may include personal data. We may also collect personal information from trusted third-party sources or engage third parties to collect personal information on our behalf.

During the course of your visit to our website we will automatically collect the following personal data about you:

  • The date and time when a page on our website is accessed;
  • Your IP address (in abbreviated form, so that no clear assignment is possible);
  • Technical information such as the name and version of your web browser, Internet service provider, terminal device and screen resolution;
  • Source of origin (URL) of your visit (i.e. via which website or advertising medium you came to us);
  • The achievement of “website objectives” (e.g. contact requests and newsletter subscriptions);
  • Your behavior on the pages (for example clicks, scrolling behavior and dwell time);
  • Your approximate location (country and city);
  • Certain cookies (see Cookie Policy)

Under certain circumstances, functions of our website can only be used by providing your personal data. Your personal data will be used for the following business purposes, for example:

  • To provide you with a newsletter subscription
  • To send and manage marketing messages and preferences
  • To provide websites and solutions and to enable the use of certain features
  • To personalize and improve usability and solutions
  • For the provision of our customer service
  • For the administration of job applications

The third parties we use may combine the information that we collect about you on our website and via our solutions with information from other sources. This is intended to improve and personalize our interaction with users.

If you provide us with a third party’s personal information (such as name, email address, and phone number), you confirm that you have permission from that third party to do so (e.g., forwarding reference or marketing materials to friends or finding a job). Of course, third parties may opt out of receiving any future communications by clicking on the link in the original message. In some situations, we and our third-party service providers may automatically collect information via the use of cookies, weblogs, web beacons, or similar applications. This information is used to understand and improve the functionality, performance and effectiveness of the website or solution and to tailor features, content or offerings to you in a better way.

4. Legal basis of the processing

We process your personal data based on:

  • your direct consent to the processing of personal data concerning you for one or more specific purposes in accordance with Art. 6 para. 1 letter a GDPR
  • the necessity for the fulfilment of a contract or our business relationship with you or the fulfilment of pre-contractual obligations in accordance with Art. 6 para. 1 lit b GDPR, as well as
  • our overriding legitimate interest according to Art 6 Paragraph 1 lit f GDPR, which consists of making our website user-friendly and protecting our website from attacks.
  • under certain circumstances, the processing of your personal data may also be necessary to fulfill legal obligations according to Art 6 Paragraph 1 lit c GDPR.

5. Use of your personal data

We may use your personal information to conduct our business and to ensure the security of our operations, to provide, improve and customize our website and solutions, to send notices, marketing and other communications, and for other lawful purposes, and only in accordance with the applicable law. We may therefore use your personal information in the following ways, among others:

  • For the delivery of a solution requested by you
  • To analyze, support and improve our website and usability
  • To personalize websites and solutions, newsletters and other communication tools
  • To manage your relationship and interactions with us
  • To send information to you, for example for marketing purposes, directly from us
  • You can change your communication preferences at any time.

6. Contact via the Internet site

If you have any support or questions about data protection or the handling of your personal data, please use the contact options here.

When using this contact form, the personal data (e.g. name, e-mail) transmitted by the person concerned is automatically stored. Such personal data transmitted on a voluntary basis from a data subject to the data controller are stored for the purposes of processing or contacting the data subject. This personal data is not passed on to third parties.

7. Duration of data storage

If we are the data controller, we will only process and store the personal data of the data subject for the period of time that is needed to achieve the purpose of storage or if or insofar as storage or processing is necessary for complying with legal requirements.

If the purpose of storage ceases to apply or if a prescribed storage period expires, the personal data is routinely blocked or deleted in accordance with legal requirements.

8. Rights of the data subject

To exercise your rights under this point, pleas contact us using the contact details given in this privacy policy.

a) Right to confirmation

Any data subject may request confirmation from the controller of the data processed.

b) Right to information

At any time and free of charge, any person affected by the processing of personal data has the right to obtain information about the personal data stored about him/her and a copy of this information from the data controller. The data subject is also entitled to receive information about the following:

  • the processing purposes
  • the categories of personal data processed
  • the recipients or categories of recipients to whom the personal data have been or will be disclosed, to recipients in third countries or to international organizations
  • if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
  • the existence of a right of rectification or deletion of personal data concerning him or her or of a right to have the processing limited by the controller or to object to such processing
  • the existence of a right of appeal to a supervisory authority
  • if the personal data is not collected from the data subject: All available information about the origin of the data
  • the existence of automated decision-making, including profiling, in accordance with Article 22(1) and (4) of the DPA and, at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject
  • Furthermore, the data subject has the right of information as to whether personal data has been transferred to a third country or to an international organization. If this is the case, the data subject shall also have the right to obtain information about the appropriate safeguards associated with the transfer.

c) Right of rectification

Any person affected by the processing of personal data has the right to demand the immediate correction of incorrect personal data relating to them. Furthermore, the data subject shall have the right to request the completion of incomplete personal data, including by means of a supplementary declaration, regarding the purposes of the processing.

d) Right of cancellation (right to be forgotten)

According to the European Directives and Regulations, any person who is affected by the processing of personal data has the right to immediate deletion of personal data concerning him/her by the controller, if one of the following reasons applies and the processing is not necessary:

  • Personal data has been collected or otherwise processed for purposes for which it is no longer necessary.
  • The data subject withdraws his or her consent on which the processing was based pursuant to Article 6 paragraph 1 letter a of the DPA or Article 9 paragraph 2 letter a of the DPA, and there is no other legal basis for the processing.
  • The data subject lodges an objection to the processing pursuant to Article 21(1) of the DPA and there are no overriding legitimate reasons for processing, or the data subject lodges an objection to the processing pursuant to Article 21(2) of the DPA.
  • Personal data has been processed unlawfully.
  • The deletion of personal data is necessary to comply with a legal obligation under Union law or the law of the Member States to which the controller is subject.
  • Personal data has been collected in relation to information society services offered in accordance with Art. 8 Paragraph 1 of the GDPR.

If the personal data has been made public by cyan Security Group GmbH and our company as the responsible party is obliged to delete the personal data in accordance with Art. 17 Par. 1 GDPR, cyan Security Group GmbH will take reasonable measures, including technical measures, taking into account the available technology and the implementation costs, to inform other data controllers who process the published personal data that the data subject has requested these other data controllers to delete all links to this personal data or copies or replications of this personal data, unless the processing is necessary.

e) Right to limit processing

Any person concerned about the processing of personal data has the right to restriction of the processing by the controller if one of the following conditions is met:

  • The accuracy of the personal data is contested by the data subject, for a period of time that allows the data controller to verify the accuracy of the personal data.
  • The processing is unlawful; the data subject refuses to have the personal data deleted and instead requests that the use of the personal data be restricted.
  • The controller no longer needs the personal data for the purposes of the processing, but the data subject needs it to exercise or defend legal claims.
  • The data subject has lodged an objection to the processing in accordance with Art. 21 (1) GDPR and it is not yet clear whether the legitimate reasons of the controller outweigh those of the data subject.

f) Right to data transferability

Any person concerned about the processing of personal data has the right to obtain, in a structured, standard and machine-readable format, the personal data relating to him/her which has been supplied by the data subject to a controller. He/she also has the right to have this data communicated to another controller without hindrance by the controller to whom the personal data has been made available, provided that the processing is based on the consent pursuant to Art. 6 paragraph 1 letter a of the DPA or Art. 9 paragraph 2 letter a of the DPA or on a contract pursuant to Art. 6 paragraph 1 letter b of the DPA, and provided that the processing is carried out by means of automated procedures, unless the processing is necessary for performing a task that is being carried out in the public interest or exercising official authority vested in the controller.

In addition, when exercising their right to data transfer in accordance with Art. 20 Paragraph 1 of the DPA, the data subject has the right to obtain that personal data be transferred directly from one person responsible to another, insofar as this is technically feasible and provided that this does not affect the rights and freedoms of other persons.

g) Right of appeal

Every person concerned by the processing of personal data has the right to object at any time, for reasons arising from his or her particular situation, to the processing of personal data concerning him or her that is carried out pursuant to Article 6(1)(e) or (f) of the DPA. This also applies to profiling based on these provisions.

In the event of an objection, cyan Security Group GmbH will no longer process the personal data unless we can prove that there are compelling reasons for processing worthy of protection that outweigh the interests, rights and freedoms of the person concerned, or the processing serves to assert, exercise or defend legal claims.

If we process personal data for the purpose of direct marketing, the data subject has the right to object at any time to the processing of personal data for the purpose of such marketing. This also applies to profiling, insofar as it relates to such direct marketing. If the data subject objects to cyan Security Group GmbH processing for the purposes of direct advertising, cyan Security Group GmbH will no longer process the personal data for these purposes.

The data subject also has the right to object, for reasons arising from his or her particular situation, to the processing of personal data concerning him or her that is carried out at cyan Security Group GmbH for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 Par. 1 GDPR, unless such processing is necessary for performing a task that is being carried out in the public interest.

The data subject shall also be free to exercise his/her right of objection by means of automated procedures involving technical specifications in connection with the use of information society services, notwithstanding directive 2002/58/EC.

h) Automated decisions in individual cases including profiling

Every data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or significantly affects him or her in a similar way, except where such decision is (1) necessary for the conclusion or performance of a contract between the data subject and the controller, or (2) authorized by mandatory provisions of law, provided that such provisions contain adequate safeguards with regard to the rights and freedoms and legitimate interests of the data subject, or (3) with the explicit consent of the data subject.

If the decision is (1) necessary for the conclusion or performance of a contract between the data subject and the data controller or (2) is made with the explicit consent of the data subject, we will take reasonable measures to safeguard the rights and freedoms and legitimate interests of the data subject, including at least the right to obtain the intervention of a person from the data controller, to express his or her point of view and to challenge the decision.

If the data subject wishes to exercise rights relating to automated decisions, he or she may contact an employee of the controller at any time.

i) Right to revoke a data protection consent

Every person affected by the processing of personal data has the granted right to revoke his/her consent to the processing of personal data at any time.

9. Data protection for applications and in the application process

During the application process, the personal data of applicants is processed for the purpose of dealing with the application procedure. The processing can also be done electronically. This is particularly the case if an applicant submits the relevant application documents to the data controller electronically, for example by e-mail or via a web form on the website. If the data controller concludes an employment contract with an applicant, the transmitted data is stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the data controller does not conclude an employment contract with the applicant, the application documents shall be automatically deleted six months after notification of the rejection decision, unless deletion is contrary to any other legitimate interests of the data controller.

10. Passing on your personal data

As part of our business relationship with you, we may share your personal information with third parties to conduct our business, to provide, improve, secure and customize our website and solutions, to send marketing materials and other business communications, to the extent permitted by law, and for other purposes permitted by applicable laws.

We pass on personal data in the following ways, but only if the legal framework allows for this:

  • Within our group of companies e.g. marketing, business operations, security, functionality of websites or solutions or storage
  • To our business partners or suppliers to ensure our business operations
  • Based on a governmental or court order, if we believe that disclosure is in accordance with the applicable law
  • In aggregated and/or anonymized form; the anonymization shall be carried out taking into account all means likely to be used by the responsible person or by any other person in the general interest to identify the natural person directly or indirectly.
  • If we notify you and you agree to the transfer

11. Security of your personal data

To protect the personal information, you entrust us with and to use it in accordance with applicable data protection laws, we implement physical, administrative and technical safeguards to protect your personal information from accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. We also obtain contractual assurances from our suppliers that any personal data is protected against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. However, absolute security on the Internet cannot be guaranteed, and we cannot guarantee that the personal data provided to us is 100% secure.

12. Cookies

Various cookies are used on the website, and a listing can be found in our cookie policy. Cookies are text files that are placed and stored on a computer system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters that can be used to assign websites and servers to the specific Internet browser in which the cookie was stored. This allows the Internet pages and servers that are visited to distinguish between the individual browser of the person concerned and other Internet browsers that contain other cookies. A specific Internet browser can be recognized and identified by the unique cookie ID.

By using cookies, we can provide users of this website with more user-friendly services that would not be possible without the setting of cookies.

By means of a cookie, the information and offers on our website can be optimized in the interest of the user.

The person concerned can prevent the setting of cookies by our website at any time by making an appropriate setting in the Internet browser used and therefore permanently object to the setting of cookies. Each user can also configure the cookie settings personally when they visit the website for the first time. Furthermore, cookies that have already been set can be deleted at any time using an Internet browser or other software programs. This is possible in all common Internet browsers. If the person concerned deactivates the setting of cookies in the Internet browser used, not all functions of our website may be able to be used.

13. Links

We may provide links to other third-party websites and services that are outside our control and are not covered by this privacy statement. We therefore refer to the privacy policy of the respective third party.

14. Newsletter

With the following information, we will inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights to objection. By subscribing to our newsletter, you agree to receive it and to the described procedures.

We send newsletters, e-mails and other electronic notifications containing promotional information (“newsletters”) only with the consent of the recipients or with legal permission. If, while registering for the newsletter, its contents are specifically described, they are decisive for the consent of the users.

The registration for our newsletter takes place in a so-called double opt-in procedure. This means that you will receive an e-mail after registration asking you to confirm your registration. This confirmation is needed so that no-one can register with foreign e-mail addresses.

We use the provider Sendinblue to send our newsletter. Sendinblue GmbH is a service of the company Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin.

Your data that is stored when you register for the newsletter (e-mail address, name, IP address, date and time of your registration) is transferred to a Sendinblue GmbH server in the EU.

For more information about Sendinblue’s privacy policy, please visit our Privacy Policy: https://www.sendinblue.com/legal/privacypolicy

Termination / Revocation: You can cancel or revoke your subscription to this newsletter and therefore your consent to the storage of your data at any time for the future. Details can be found in the confirmation email and in each individual newsletter.

15. Changes to our privacy policy

We reserve the right to update this privacy policy at any time. The revised version will be published here together with the revision date. Please visit our website regularly to familiarize yourself with the changes. In case of extensive changes, we reserve the right to contact you directly in advance to inform you about the changes. By subsequently using our website, you accept these changes, unless mandatory legal consumer protection regulations speak against such a procedure.

16. Settlement of disputes

You are free to contact the competent data protection authority directly for dispute resolution.