Privacy Policy | Security Affairs Ltd

Security Affairs Ltd (“we”, “us”, “our”) is unequivocally committed to protecting and respecting the privacy and security of all personal data entrusted to us. As a provider of expert cybersecurity services, we recognise that trust is the foundation of our client relationships, and the robust protection of information is central to our professional identity and operations.

This Privacy Policy outlines our comprehensive approach to data handling. It is designed to be transparent and to provide you with a clear understanding of how we collect, use, process, and safeguard personal data. Our practices are rigorously aligned with the United Kingdom’s data protection regime, principally the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), alongside the Privacy and Electronic Communications Regulations (PECR).

This document explains our responsibilities and your rights concerning your personal data. It applies to the information we process through our website, https://securityaffairs.biz, our direct business interactions, and, crucially, in the delivery of our professional services to our clients.

Our registered details are:

Company Name: Security Affairs Ltd

Company Registration Number: 15559144

Registered Office Address: No1 Business Centre, 1 Alvin Street, Gloucester, GL1 3EJ

Our relationship with personal data, and by extension our legal responsibilities, varies depending on how you interact with us. The UK GDPR establishes two primary roles in data processing: the ‘Data Controller’ and the ‘Data Processor’. Understanding this distinction is fundamental to understanding how your data is managed and who holds ultimate responsibility for its protection.

We act as the Data Controller when we process personal data for our own business purposes. This occurs when you:

• Visit our website, https://securityaffairs.biz.
• Contact us directly via email, telephone, or our website contact forms.
• Subscribe to our newsletters or marketing communications.
• Engage with us as a prospective client, supplier, or business partner.

In these scenarios, we determine the purposes for which your personal data is collected and the means by which it is processed. We are directly responsible for ensuring that this processing complies with all applicable data protection laws.

When we are engaged by a client to provide our cybersecurity services—which are strictly OSINT investigations, phishing analysis, and malware analysis—our role changes. For any data that belongs to our client or their users which we handle as part of these services (“Client Data”), we act as the Data Processor.

In this capacity, our client is the Data Controller. The client determines the purposes and legal basis for processing the Client Data. We only process this data on the client’s behalf and strictly in accordance with their lawful, documented instructions.

The terms of this processing, including the scope, nature, duration, and our specific obligations, are not primarily governed by this public-facing Privacy Policy. Instead, they are formally defined and legally bound by a comprehensive Master Services Agreement (MSA) and an accompanying Data Processing Addendum (DPA) entered into between us and our client. This contractual framework is mandated by Article 28 of the UK GDPR and is essential for delineating responsibilities and liability. This policy should therefore be read in conjunction with any such agreement if you are a client. This contractual separation ensures legal clarity and protects both parties by defining the precise scope of our duties and limiting our processing activities to the client’s explicit instructions.

Under the UK GDPR, all processing of personal data must be lawful, fair, and transparent. This requires us to have a valid lawful basis for each processing activity and to be clear about our purposes. Personal data is any information that can be used to identify a natural person, including names, email addresses, and online identifiers like IP addresses.

When acting as a Data Controller for our own business purposes, we process the following categories of personal data, for the purposes and on the lawful bases specified below:

• Identity Data: Includes first name, last name, and username or similar identifier.

• • Purpose: To identify you as a client, contact, or user.
  • Lawful Basis: Performance of a Contract (when you are a client); Legitimate Interest (to manage our business relationships).

• Contact Data: Includes billing address, delivery address, email address, and telephone numbers.

• • Purpose: To communicate with you, respond to your enquiries, deliver our services, and manage our contractual relationship.
  • Lawful Basis: Performance of a Contract; Legitimate Interest (to respond to enquiries and for business development).

• Financial Data: We utilise third-party payment processors (e.g., GoCardless) to handle financial transactions. We do not directly collect, store, or have access to your full bank account or payment card details. This data is provided by you directly to the payment processor under their terms and privacy policy.

• • Purpose: To facilitate and confirm payments for our services via our third-party provider.
  • Lawful Basis: Performance of a Contract.

• Transaction Data: Includes details about payments to and from you and other details of services you have purchased from us.

• • Purpose: To maintain accurate records of our business transactions.
  • Lawful Basis: Performance of a Contract; Legal Obligation (for tax and accounting purposes).

• Technical Data: Includes Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.

• • Purpose: To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data), and to deliver relevant website content to you.
  • Lawful Basis: Legitimate Interest (for running our business, provision of administration and IT services, network security, and to prevent fraud).

• Marketing and Communications Data: Includes your preferences in receiving marketing from us and your communication preferences.

• • Purpose: To send you relevant information about our services, industry insights, and events.
  • Lawful Basis: We rely on Consent for individuals who are not existing clients. For our corporate clients or contacts with whom we have an existing relationship, we may rely on Legitimate Interest (often referred to as the ‘soft opt-in’ under PECR), providing a clear option to opt-out in every communication.

When acting as a Data Processor for our clients, the scope of data we process is determined entirely by the client (the Data Controller).

• Client Security and Operational Data: This category encompasses any data provided to us by our clients for the explicit purpose of conducting our contracted services, which are strictly OSINT investigations, phishing analysis, and malware analysis. This can include, but is not limited to:

• • Samples of phishing emails, including headers, content, and attachments.
  • Malware samples for static and dynamic analysis.
  • Data gathered from publicly available sources as part of an OSINT investigation.
  • Potentially, special categories of personal data or criminal offence data, if such data is contained within the materials provided by the client for analysis.

The specific categories of data, the purposes of processing, and the lawful basis for processing are defined and established by our client in their capacity as the Data Controller. Our legal mandate to process this data is the Performance of a Contract (our MSA and DPA with the client). The client bears the responsibility for ensuring they have a valid lawful basis for the collection of this data and for instructing us to process it on their behalf.

Our website uses cookies and similar technologies. This section provides detailed information about their use, in compliance with the Privacy and Electronic Communications Regulations (PECR). PECR requires that we are transparent about the cookies we use and that we obtain your consent to place them on your device, unless they are “strictly necessary” for the functioning of our website.

A cookie is a small text file that is stored on your computer or mobile device when you visit a website. It enables the website to remember your actions and preferences over a period of time.

We classify the cookies we use as follows:

• Strictly Necessary Cookies: These cookies are essential for you to browse the website and use its features, such as accessing secure areas of the site. The website cannot function properly without these cookies. We do not require your consent to place these cookies.
• Analytical/Performance Cookies: These cookies collect information about how you use our website, such as which pages you visit and if you experience any errors. These cookies do not collect any information that could identify you and are only used to help us improve how our website works and understand what interests our users.
• Functionality Cookies: These cookies are used to recognise you when you return to our website. This enables us to personalise our content for you and remember your preferences (for example, your choice of language or region).
• Targeting/Marketing Cookies: These cookies record your visit to our website, the pages you have visited, and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests.

With the exception of Strictly Necessary cookies, we will only place cookies on your device with your explicit and informed consent. This consent is obtained through our cookie consent banner, which is presented to you on your first visit to our site. The standard of consent we require is aligned with the UK GDPR, meaning it must be freely given, specific, informed, and unambiguous.

You can view a full list of the cookies we use, and manage your preferences or withdraw your consent at any time, through our. Please be aware that blocking some types of cookies may impact your experience of the site and the services we are able to offer.

We hold the confidentiality and security of your data in the highest regard. We have a strict policy against selling personal data to any third party. However, in the course of our business operations, we may need to share data with trusted third parties who provide services to us or act on our behalf.

For data where we are the Controller (e.g., our own business and website data), we may share information with the following categories of third parties:

• IT and Cloud Service Providers: Who provide us with website hosting, cloud storage, and other essential IT infrastructure.
• Payment Service Providers: To securely process financial transactions.
• Professional Advisors: Including our lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
• Marketing and Analytics Providers: To help us manage our marketing communications and analyse website performance, subject to your consent where required.

We conduct due diligence on all our third-party service providers and ensure that we have a contract in place that requires them to respect the security of your personal data and to treat it in accordance with the law. They are only permitted to process your personal data for specified purposes and in accordance with our instructions.

The management of sub-processors for Client Data is a critical aspect of our service delivery and is governed by strict contractual controls. A “sub-processor” is any third party we engage that processes Client Data.

Our commitment to our clients is as follows:

We will not engage any third-party sub-processor to process Client Data without the prior specific or general written authorisation of the client, as stipulated in our Data Processing Addendum (DPA). This aligns directly with our obligations under Article 28(2) of the UK GDPR.

Where we have general authorisation, we will inform the client of any intended changes concerning the addition or replacement of other sub-processors, thereby giving the client the opportunity to object to such changes.

Furthermore, we will ensure that any sub-processor we engage is bound by a written contract that imposes data protection obligations on them that are at least equivalent to those set out in our DPA with the client. We remain fully liable to the client for the performance of that sub-processor’s data protection obligations. This rigorous approach ensures a clear chain of accountability and provides our clients with assurance and control over their data.

Our primary operations and data storage facilities are located within the United Kingdom. However, the global nature of technology services means that we may, at times, need to process, store, or transfer personal data in countries outside of the UK.

We will only transfer personal data outside the UK where we are satisfied that adequate levels of protection are in place to protect the information, in full compliance with UK data protection law. We ensure the lawfulness of such transfers through one of the following recognised legal mechanisms:

1. Adequacy Decisions: Transferring data to countries that the UK Government has formally deemed to provide an adequate level of data protection.
2. Appropriate Safeguards: Where no adequacy decision exists, we will use appropriate legal safeguards as prescribed by the ICO. This will typically be the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU’s Standard Contractual Clauses (SCCs). These are legally binding contracts that enforce UK-equivalent data protection standards on the recipient.
3. Transfer Risk Assessments (TRAs): For any transfer relying on an IDTA or the UK Addendum, we will conduct a thorough Transfer Risk Assessment. This assessment evaluates the laws and practices of the destination country to ensure that the contractual safeguards can be effectively implemented in practice, thereby guaranteeing that the data remains protected to the standard required by UK law.

By implementing these measures, we ensure that any international data transfer is conducted with the same level of rigour and legal protection as if the data had remained within the UK.

As a cybersecurity firm, implementing and maintaining robust security measures is not merely a compliance requirement; it is the core of our business ethos. We are committed to upholding the UK GDPR principle of ‘integrity and confidentiality’ by implementing appropriate technical and organisational measures (TOMs) to protect all personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

A central pillar of our security architecture is data isolation. This is the practice of programmatically and physically separating data sets to minimise the attack surface and prevent unauthorised data co-mingling or cross-contamination between different clients or environments. Our implementation of data isolation is multi-layered:

• Logical Isolation: We leverage modern virtualisation and cloud technologies to create distinct, segregated environments for each client’s data. This is achieved through mechanisms such as:

• • Virtual Private Clouds (VPCs) and Network Segmentation: Each client’s service environment is deployed within its own logically isolated section of our cloud infrastructure, with strict firewall rules and network access control lists (ACLs) that prevent traffic from flowing between client environments unless explicitly authorised.
  • Virtual Machines (VMs) and Containerisation: Client workloads are run in separate VMs or containers, ensuring that processes and file systems are isolated from one another at the operating system level.

• Database and Storage Separation: Our services involve the analysis of discrete data samples (e.g., phishing emails, malware files) and the compilation of OSINT reports, rather than running client applications in our environment. Our data isolation strategy at the storage layer is therefore focused on the strict segregation of all client-provided materials and investigation data. We utilise separate, dedicated storage containers or logically separated database schemas for each client engagement. This ensures there is no possibility of data from one client’s investigation co-mingling with another’s, providing a powerful barrier against cross-tenant data leakage and simplifying auditing.
• Role-Based Access Control (RBAC) and Least Privilege: Access to all data, particularly sensitive Client Data, is governed by a strict RBAC policy. Our personnel are granted access rights based on the principle of least privilege, meaning they can only access the specific data and systems necessary to perform their designated duties for a particular client. All access is logged and monitored.

Alongside data isolation, our comprehensive security programme includes:

• Encryption: All data is encrypted both in transit over public networks using strong protocols such as Transport Layer Security (TLS 1.2 or higher) and at rest on our servers and in our databases using industry-standard algorithms like AES-256.
• Data Minimisation: We adhere strictly to the principle of data minimisation. We design our systems and processes to ensure we only collect, process, and retain data that is absolutely necessary for the specific, agreed-upon purpose.
• Regular Security Audits and Assessments: Our security controls and infrastructure are subject to regular internal and external vulnerability assessments and penetration tests. We engage independent, third-party auditors to provide unbiased evaluation and validation of our security posture, ensuring our controls remain effective against emerging threats.

Incident Response Plan: We maintain a documented and regularly tested Incident Response Plan. In the event of a personal data breach, this plan ensures we can take swift action to contain the incident, mitigate harm, and notify the ICO and affected data subjects where legally required, within the timeframes mandated by the UK GDPR.

To provide full transparency and demonstrate our accountability, we have established a formal Data Retention Schedule. This schedule documents our retention periods for different categories of data and, crucially, the justification for each period. This ensures our policies are defensible and grounded in specific legal requirements, such as those set by HM Revenue & Customs (HMRC) or the Limitation Act 1980 for civil claims.

Data Retention Schedule

Upon expiry of the applicable retention period, personal data is securely and permanently destroyed or anonymised in accordance with our data disposal procedures.

Under UK data protection law, you have a number of rights over your personal data. These rights are designed to give you control over how your information is used. We are committed to upholding these rights and have processes in place to facilitate your requests.

Your rights are as follows:

1. The Right to be Informed: You have the right to be provided with clear, transparent, and easily understandable information about how we use your information and your rights. This is why we are providing you with this Privacy Policy.
2. The Right of Access: You have the right to obtain access to your information (if we’re processing it). This is commonly known as a Subject Access Request (SAR). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
3. The Right to Rectification: You are entitled to have your information corrected if it is inaccurate or incomplete.
4. The Right to Erasure: This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there is no compelling reason for us to keep using it. This is not a general right to erasure; there are exceptions.
5. The Right to Restrict Processing: You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but may not use it further.
6. The Right to Data Portability: You have the right to obtain and reuse your personal data for your own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
7. The Right to Object: You have the right to object to certain types of processing, including processing for direct marketing and processing based on our legitimate interests.
8. Rights in relation to Automated Decision Making and Profiling: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you. We do not currently conduct this type of processing.

To exercise any of these rights, please contact us using the details provided in Section 10.0. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Please note that if your request pertains to Client Data for which we are the Data Processor, we will inform our client (the Data Controller) and assist them in responding to your request, as we can only act upon their instructions. Some rights may also be subject to legal exemptions, which we will explain if applicable.

We have appointed a Data Protection Lead who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions, concerns, or wish to exercise your data protection rights, please contact us using the details below:

Designation: Data Protection Lead

Email Address: privacy@securityaffairs.biz

Postal Address: No1 Business Centre, 1 Alving Street, Gloucester, GL1 3EJ

We are committed to resolving any concerns you may have. However, if you believe that we have not addressed your concerns satisfactorily, you have the right to lodge a complaint at any time with the UK’s supervisory authority for data protection issues, the Information Commissioner’s Office (ICO).

The ICO’s contact details are:

Website: https://ico.org.uk/make-a-complaint/

Telephone: 0303 123 1113

Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

The data protection landscape is constantly evolving, with changes to laws, regulations, and best practices. We may therefore update this Privacy Policy from time to time to reflect these changes or to reflect changes in our own processing activities.

We will not explicitly inform our clients or users of these changes. We recommend that you check this page periodically for any updates. The “Last Updated” date at the top of this policy indicates when it was last revised. Your continued use of our website or services after any changes to this Privacy Policy will mean you accept those changes.