Privacy Policy — Cybereinforce

01

Who We Are

Identity & Scope of this Policy

Cybereinforce is a cybersecurity company providing browser-native threat enforcement through its core product, Cybereinforce Threat Enforcement (CTE). CTE operates as a managed security layer deployed across enterprise endpoints, enforcing real-time URL filtering, threat intelligence blocking, and security event logging — directly within the browser.

This Privacy Policy applies to all data processed by Cybereinforce in the delivery of the CTE platform and related services. It governs the obligations of Cybereinforce as a data processor on behalf of its enterprise customers (the data controllers), and as a data controller where Cybereinforce independently determines the purpose of processing.

Cybereinforce acts as a data processor for security event data generated by your organisation's users. Your organisation, as the customer, is the data controller and determines how that data is used under its own policies.

02

Data We Process

Categories, purpose tags & legal basis

Cybereinforce processes the minimum data necessary to deliver browser-level security enforcement. We do not collect browsing content, personal communications, or any data beyond what is technically required for threat detection and audit functions.

Data Type	Description	Classification
Admin Email	Used for account authentication and administrative notifications. Never used for marketing.	Required
Device Identifiers	Hostnames and internal device IDs used to associate security events with enrolled endpoints. No hardware fingerprinting.	Required
Blocked URL Metadata	The URL path and domain of blocked requests, threat category, and timestamp. No page content, no query parameters containing personal data, no session tokens.	Required
Security Event Logs	Structured logs of threat enforcement actions: block decisions, policy matches, and incident triggers. Used for SIEM export and audit trails.	Required
Tenant Configuration	Policy settings, integration credentials (encrypted), and deployment metadata configured by the admin.	Required
Integration Tokens	API tokens for SIEM integrations (e.g. Microsoft Sentinel, Defender). Stored encrypted, scoped to read/write operations only.	Optional
Platform Usage Metadata	Aggregate, anonymised usage signals (e.g. feature adoption rates) used to improve the platform. Not linked to individual users.	Anonymised

        What we never collect: browsing history, page content, keystrokes, screenshots, personal communications, financial data, or any data from non-enrolled devices.
      

03

Legal Basis for Processing

GDPR Article 6 compliance

Where applicable under the General Data Protection Regulation (GDPR), Cybereinforce processes personal data under the following lawful bases:

Contractual Necessity · Art. 6(1)(b)

Processing of account credentials, device identifiers, and security logs is necessary to perform the service contracted between Cybereinforce and the customer organisation.

Legitimate Interests · Art. 6(1)(f)

Threat intelligence processing and security event logging serve the legitimate interests of the customer organisation and Cybereinforce in protecting endpoints and infrastructure from cyberattacks.

Legal Obligation · Art. 6(1)(c)

Audit log retention may be required to fulfil legal or regulatory compliance obligations applicable to the customer's industry (e.g. NIS2, ISO 27001, SOC 2).

04

Purpose of Processing

Why we use the data we collect

Real-time threat prevention

Security event monitoring

Audit & compliance evidence

SIEM & Defender integration

Incident correlation & response

Policy enforcement & reporting

Data is never used for advertising, profiling, or any purpose unrelated to security enforcement. Cybereinforce does not build behavioural profiles of end users. All processing is scoped strictly to the delivery of the contracted security service.

05

Data Sharing & Transfers

Who sees your data and under what conditions

        Cybereinforce does not sell, rent, or trade customer data. Data is never shared with third parties for commercial purposes.
      

Security event data generated by CTE remains under the control of the customer organisation. Customers may export their own security logs to external platforms including Microsoft Sentinel, Splunk, or other SIEM solutions of their choice — this is an explicit feature of the product, operated entirely at the customer's discretion.

Cybereinforce may engage limited sub-processors to operate infrastructure services (e.g. cloud hosting, database services). All sub-processors are bound by contractual data processing agreements and may not use customer data for any purpose outside of service delivery. A current list of sub-processors is available on request.

Where data is transferred outside the European Economic Area (EEA), Cybereinforce ensures adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

06

Data Retention

How long we keep different categories of data

Security Event Logs

12 mo.

Retained for operational monitoring and compliance audit purposes. Configurable by enterprise plan.

Admin Account Data

Contract +30d

Retained for the duration of the subscription and deleted within 30 days of contract termination.

Integration Tokens

Until revoked

Retained in encrypted storage while the integration is active. Permanently deleted on disconnection.

Anonymised Analytics

Indefinite

Aggregate, non-identifiable platform usage metrics not subject to retention limits.

Upon contract termination, Cybereinforce will delete or return all customer data within 30 days upon written request. Customers may request earlier deletion at any time by contacting our data team.

07

Security Measures

How we protect the data we process

Cybereinforce is, at its core, a security company. Protecting the data entrusted to us is treated with the same rigour we apply to protecting our customers' endpoints. We operate a security-first infrastructure model including:

Encryption at Rest & In Transit

All data is encrypted using AES-256 at rest. All data in transit is protected via TLS 1.2 or higher. Integration tokens and secrets are stored in encrypted vaults, never in plaintext.

Role-Based Access Control

Internal access to customer data is restricted on a strict need-to-know basis. All access is logged and subject to periodic access reviews.

Incident Response

In the event of a data breach affecting customer data, Cybereinforce will notify affected customers within 72 hours in accordance with GDPR Article 33 obligations.

Continuous Monitoring

Our own platform infrastructure is monitored 24/7 using the same threat detection capabilities we provide to customers — threat intelligence, anomaly detection, and audit logging.

08

Your Rights

Rights available to data subjects under GDPR & CCPA

Where Cybereinforce acts as a data processor, data subject rights requests (e.g. access, deletion) should be directed to your organisation's administrator, who acts as the data controller. Where Cybereinforce processes data as a controller (e.g. admin account data), the following rights apply:

Right of Access

You may request a copy of the personal data Cybereinforce holds about you.

Right to Rectification

You may request correction of inaccurate or incomplete personal data.

Right to Erasure

You may request deletion of your personal data, subject to our legal retention obligations.

Right to Portability

You may request your data in a structured, machine-readable format for transfer to another service.

Right to Object

You may object to processing based on legitimate interests where your individual circumstances warrant it.

Right to Restrict Processing

You may request that we limit processing of your data in certain circumstances while a dispute is resolved.

To exercise any of these rights, contact us at info@cybereinforce.com. We will respond within 30 days.

09

Cookies & Tracking

What we use on our web properties

The Cybereinforce administrative portal uses strictly necessary session cookies to maintain authenticated sessions. We do not use advertising cookies, third-party tracking pixels, or cross-site analytics on our platform.

Cookie Name	Purpose	Type
cte_session	Maintains admin authentication state across requests. Expires on logout or after 8 hours of inactivity.	Necessary
cte_csrf	CSRF protection token. Prevents cross-site request forgery on authenticated endpoints.	Necessary
cte_locale	Stores the user's language and regional display preferences.	Functional

10

Contact & DPO

How to reach us on privacy matters

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact our privacy team. We are committed to responding within 30 days of receiving a request.

Data Protection & Privacy Team

For data subject requests, privacy inquiries, sub-processor lists, or DPA (Data Processing Agreement) requests, please write to us. Include your organisation name and the nature of your request for a faster response.

info@cybereinforce.com

If you believe your data protection rights have been violated and we have not adequately addressed your concern, you have the right to lodge a complaint with your local supervisory authority. In the EU, this is the data protection authority of your member state. In the UK, this is the Information Commissioner's Office (ICO).

PrivacyPolicy

Privacy
Policy