Data Privacy Declaration

2. Data Categories and Collection Methodologies

Categories of Personal Data Processed

CypSec processes personal data exclusively to the extent necessitated by operational requirements for cybersecurity service delivery, threat detection capabilities, incident response coordination, and compliance with applicable contractual obligations and government directives. The personal data processed encompasses identification and authorization data including full legal names, government-issued identification numbers, security clearance designations, facility access credentials, biometric identifiers, and professional certifications required for access to classified systems and secure facilities. This category includes passport details, military identification numbers, and such other credentials as may be mandated by government security protocols and clearance verification procedures.

Authentication and access control data encompasses complex authentication credentials, multi-factor authentication tokens, digital certificates, cryptographic keys, session identifiers, access logs, and privilege escalation records necessary for maintaining secure access to critical systems and preventing unauthorized intrusion attempts. All authentication data is processed using FIPS 140-2 Level 3 validated encryption and stored in hardware security modules meeting government security standards. Technical surveillance and telemetry data includes Internet Protocol addresses, device fingerprints, network topology information, system configuration parameters, security event logs, threat detection telemetry, vulnerability scan results, packet capture metadata, and all associated technical indicators essential to threat hunting operations and security posture assessment.

Collection Methods and Technical Implementation

Data collection operations are conducted through multiple technical and operational channels including direct user interaction with secure authentication portals and classified communication systems, automated collection through deployed security sensors, intrusion detection systems, and threat intelligence platforms, integration with government authentication systems and security clearance databases, secure data feeds from partner agencies and threat sharing consortiums, and lawful interception and monitoring activities conducted under appropriate legal authority.

All collection activities utilize government-approved encryption standards and are conducted through secure communication channels meeting applicable classification requirements. Metadata necessary for service operation and threat correlation is retained according to established schedules aligned with national security retention requirements and government audit obligations. Where CypSec operates as data processor under government contracts or classified agreements, all data categories and collection methodologies are specified by the contracting authority, who maintains data controller status for all operational directives and processing purposes.

Processing Limitations and Data Minimization

CypSec processes such data strictly within the parameters established by contractual instruments and applicable security classification guides. The Company does not engage in automated decision-making processes that produce legal effects concerning individuals, except where such processing is essential to threat detection operations, security clearance verification, or other activities explicitly authorized by government directive and subject to appropriate oversight mechanisms. All processing activities are conducted with explicit recognition that cybersecurity operations may require real-time automated analysis to detect and respond to imminent security threats.

Data minimization principles are applied consistently across all processing operations, with collection and retention limited to information essential to maintaining security posture, fulfilling contractual obligations, and supporting legitimate government interests in protecting critical infrastructure and national security assets. Processing activities that present elevated risks to individual rights are subject to enhanced oversight mechanisms and additional safeguards as required by applicable legal frameworks and government directives.

3. Processing Purposes and Legal Foundations

Contractual Performance and Service Delivery

CypSec processes personal data where necessary for fulfillment of government contracts, defense procurement agreements, and authorized service arrangements. This encompasses provision of threat detection and response capabilities, maintenance of secure authentication and access control systems, delivery of vulnerability assessment and penetration testing services, operation of classified communication platforms and secure collaboration tools, and execution of incident response coordination and forensic analysis operations. All contractual processing is conducted strictly within the scope of executed agreements and applicable procurement regulations.

Personal data is processed where necessary for performance of a contract with users or the organizations they represent, or in order to take steps at user request prior to entering into such contractual relationships. This includes the provision, operation, configuration, maintenance, and support of CypSec products and services, the management of user accounts and authentication mechanisms, the handling of service requests and technical support inquiries, and the administration of billing, invoicing, and related financial transactions conducted under government procurement frameworks.

Legal Obligation and Regulatory Compliance

Processing is conducted where mandated by applicable laws, government regulations, and national security directives. Such obligations include compliance with Federal Acquisition Regulation and Defense Federal Acquisition Regulation Supplement requirements, adherence to security classification guides and handling procedures, fulfillment of export control obligations under International Traffic in Arms Regulations and Export Administration Regulations, response to lawful process from courts, regulatory authorities, and oversight bodies, and compliance with tax, accounting, and corporate governance requirements applicable to government contractors.

CypSec processes personal data where necessary for compliance with legal obligations to which the Company is subject. Such obligations may arise under tax, accounting, corporate governance, export control, cybersecurity, financial regulations, employment law, or obligations to respond to lawful requests from courts, regulators, or supervisory authorities with appropriate jurisdiction over Company operations.

Legitimate Security Interests and National Security Requirements

CypSec processes personal data where necessary to protect essential security interests that are not overridden by individual privacy rights. These interests encompass maintaining the security and integrity of critical infrastructure systems and networks, preventing, detecting, and responding to cyber threats, espionage activities, and nation-state attacks, conducting threat intelligence analysis and attribution investigations, protecting classified information and controlled technical data, ensuring the continued availability of essential services, and supporting law enforcement and counterintelligence activities as authorized by applicable legal authority.

Legitimate interests include ensuring the security and integrity of infrastructure, products, and services, preventing, investigating, and responding to fraud, misuse, or security incidents, developing and improving platforms and offerings, conducting internal analytics and reporting, maintaining and expanding business relationships, enforcing legal claims, and managing corporate transactions such as mergers, acquisitions, or restructurings. All legitimate interest processing is subject to formal balancing tests that consider the severity of identified threats, the potential impact on critical infrastructure protection, obligations to government contracting authorities, and applicable national security directives.

Consent-Based Processing and Special Categories

Personal data is processed on the basis of explicit consent where required by applicable law for specific activities including participation in optional security research and development initiatives, enrollment in advanced training programs and certification courses, involvement in threat information sharing consortiums and industry collaboration efforts, provision of testimonials or case studies for marketing purposes, and activation of enhanced monitoring or analytics features beyond baseline security requirements. Consent may be withdrawn at any time without affecting the lawfulness of processing conducted prior to withdrawal.

In limited circumstances essential to cybersecurity operations, CypSec may process special categories of personal data including biometric identifiers for multi-factor authentication, security clearance information, and background investigation results. Such processing is conducted only where necessary for establishment, exercise, or defense of legal claims, required by substantial public interest grounds including national security objectives, explicitly authorized by data subjects with appropriate legal safeguards, or mandated by applicable government security requirements and clearance procedures.

All processing purposes are evaluated through formal necessity and proportionality assessments to ensure that data collection and processing activities are strictly limited to what is essential for achieving legitimate security objectives while maintaining appropriate respect for individual privacy interests within the framework of applicable legal requirements and government directives.

4. Data Retention, Storage Architecture, and Security Safeguards

Retention Periods and Legal Framework

CypSec maintains personal data according to retention schedules specifically designed to balance operational requirements for cybersecurity operations with applicable legal obligations and government record-keeping mandates. All retention periods are established through formal assessment processes that evaluate the classification level and sensitivity designation of processed information, contractual obligations specified in government contracts and procurement agreements, statutory limitation periods applicable to government contractors, national security retention requirements and intelligence oversight mandates, and operational necessity for threat correlation and forensic analysis capabilities.

Account and authentication data is retained for the duration of active service plus seven years to support audit requirements, security investigations, and government oversight activities. Security logs and event data is maintained for minimum periods of twenty-four months to enable threat hunting operations, incident correlation, and forensic analysis activities. Financial and contract records are preserved for ten years in accordance with government procurement regulations, tax obligations, and audit trail requirements. Backup and disaster recovery systems are retained for ninety days unless extended retention is mandated by specific contractual obligations or classification requirements.

Storage Architecture and Technical Controls

All personal data is maintained within secure environments implementing defense-in-depth architecture with multiple independent security layers. Storage systems utilize FIPS 140-2 Level 3 validated encryption for all data at rest using AES-256 or stronger algorithms, hardware security modules for cryptographic key management and access control operations, network segmentation and micro-segmentation to isolate sensitive data storage systems, continuous monitoring systems with real-time threat detection capabilities, and immutable audit logging to prevent unauthorized modification of retention records.

Data storage operations may utilize government-approved cloud infrastructure meeting FedRAMP High or equivalent security baselines, on-premises systems within secure facilities cleared for appropriate classification levels, hybrid architectures approved for specific government contracts, and backup systems maintained in geographically separated locations for disaster recovery purposes. All third-party storage providers must demonstrate appropriate security clearances and maintain facility clearances consistent with the classification level of stored data.

Incident Response and Breach Notification Procedures

CypSec maintains comprehensive incident response procedures designed to address security events affecting personal data. Upon detection of any suspected or confirmed security incident, the Company immediately activates containment procedures to prevent further unauthorized access, conducts comprehensive impact assessment to determine the scope and nature of affected personal data, implements remediation measures to address vulnerabilities and prevent recurrence, coordinates with appropriate government authorities and contracting officers where classified information is involved, and maintains detailed documentation for audit and oversight purposes.

Notification obligations are fulfilled in accordance with applicable legal requirements and government contract provisions. Where required by law, CypSec provides notification to supervisory authorities within seventy-two hours of incident confirmation. Affected individuals are notified without undue delay where the incident presents high risk to individual rights and freedoms. All notifications include description of the incident nature and scope, identification of affected personal data categories, assessment of potential consequences, description of containment and remediation measures, and contact information for additional inquiries.

Secure Disposal and Data Destruction Protocols

Upon expiration of applicable retention periods, personal data is destroyed using methods appropriate to the classification level and sensitivity of the information. Destruction procedures include cryptographic erasure using NIST-approved methods for encrypted data, multiple-pass overwriting meeting DoD 5220.22-M standards for magnetic media, physical destruction through shredding or degaussing for storage devices containing classified information, and certified destruction with chain of custody documentation for all government-contracted data.

Where technical constraints prevent immediate deletion, access to personal data is strictly restricted through removal of all user access privileges and authentication credentials, implementation of technical controls preventing system access, maintenance in secure offline storage with limited administrative access, and eventual destruction upon resolution of technical constraints. All disposal activities are documented through formal destruction certificates maintained according to applicable government record-keeping requirements and oversight mandates.

5. Data Disclosure and International Transfer Protocols

Authorized Disclosure Categories and Recipients

CypSec does not engage in sale, rental, or commercial exploitation of personal data under any circumstances. All disclosures are conducted exclusively where necessitated by operational requirements, contractual obligations, or lawful process, and are limited to the minimum extent required for legitimate cybersecurity operations and government service delivery. Personal data may be disclosed to vetted entities operating under binding confidentiality and security obligations including cleared contractors and strategic partners maintaining appropriate facility and personnel security clearances, government-approved infrastructure providers meeting FedRAMP High or equivalent security baselines, financial institutions processing authorized transactions under government procurement regulations, legal advisors and compliance consultants with appropriate security clearances and need-to-know authorization, and audit firms and oversight bodies with lawful jurisdiction and appropriate clearance levels.

Disclosure within the CypSec corporate structure is limited to entities maintaining equivalent security standards and appropriate facility clearances. All intra-group transfers are conducted through secure communication channels with appropriate classification markings and are subject to verification of recipient entity security clearance status, implementation of need-to-know access controls, maintenance of audit trails for all data movements, and compliance with applicable government oversight requirements and congressional notification mandates where appropriate.

Government and Law Enforcement Disclosure Requirements

Personal data is disclosed to government agencies, regulatory authorities, and law enforcement entities where mandated by lawful process including court orders, subpoenas, and warrants, national security directives and classified government requirements, oversight obligations under Federal Acquisition Regulation and agency-specific procurement rules, emergency disclosure procedures to prevent imminent harm to critical infrastructure, and international cooperation agreements and mutual legal assistance treaties. All government disclosures are conducted through appropriate security channels with proper classification handling and oversight coordination.

CypSec maintains rigorous subprocessor vetting and oversight procedures. All subprocessors are subject to comprehensive security assessments verifying compliance with government security requirements, contractual obligations implementing equivalent technical and organizational measures, restrictions prohibiting onward disclosure without explicit authorization, audit rights enabling verification of compliance with security obligations, and immediate termination provisions for security violations or breach of confidentiality obligations. A current register of authorized subprocessors is maintained and provided to government contracting officers upon request.

International Transfer Mechanisms and Safeguards

Cross-border data movements are conducted exclusively through secure channels approved for government and defense applications, implementing encryption at rest and in transit using FIPS 140-2 Level 3 validated cryptographic modules, key management controls ensuring keys remain under appropriate government jurisdiction, network routing restrictions preventing transit through unauthorized jurisdictions, data localization requirements where mandated by government contracts, and comprehensive audit logging of all cross-border movements for oversight and compliance verification.

For transfers to jurisdictions lacking adequacy decisions, CypSec conducts formal transfer impact assessments evaluating legal framework analysis of recipient country surveillance and data access laws, assessment of potential government access to transferred data, evaluation of available legal remedies for data subjects, identification of supplementary technical and contractual measures, and documentation of proportionality analysis balancing security benefits against privacy risks. All assessments are reviewed by qualified legal counsel and approved by senior management prior to transfer authorization.

Government-to-Government Transfer Protocols

International transfers conducted under formal government agreements utilize approved secure communication channels and are subject to bilateral or multilateral agreements establishing appropriate safeguards, NATO security protocols and classified information handling procedures, intelligence oversight requirements and congressional briefing obligations, specific technical controls mandated by transfer agreements, and continuing oversight by appropriate government authorities to ensure compliance with national security requirements.

All international transfers are limited to the minimum extent necessary for legitimate cybersecurity operations and are conducted with explicit recognition that protection of national security interests and critical infrastructure may require prioritization of collective security objectives over unrestricted data movement. Processing activities are designed to maintain the highest available level of protection while ensuring operational effectiveness for threat detection and response operations across authorized jurisdictions and allied nations.

6. Individual Rights and Exercise Mechanisms

Rights Framework and Legal Limitations

Subject to applicable legal frameworks and overriding national security requirements, individuals possess specific rights regarding personal data processed by CypSec. The scope and exercise of these rights may be modified where necessitated by classification requirements and security clearance obligations, government contract provisions and procurement regulations, national security directives and intelligence oversight requirements, ongoing threat investigations and counterintelligence operations, and protective measures for critical infrastructure and classified systems.

Individuals possess the right to request access to personal data undergoing processing, subject to verification of appropriate security clearance and need-to-know authorization. Access requests must specify the particular data categories sought, the legitimate basis for access request, verification of identity through government-approved authentication mechanisms, and acknowledgment of applicable confidentiality and security handling requirements. Access may be denied or limited where disclosure would compromise classified information or national security interests, interfere with ongoing threat investigations, reveal proprietary threat intelligence sources or methods, or violate security clearance obligations or compartmentalization requirements.

Rectification and Data Quality Rights

Requests for correction of inaccurate personal data are processed where the inaccuracy is verified through appropriate documentation, correction would not compromise security operations or audit trail integrity, the requesting individual possesses appropriate authorization to request modification, and correction is consistent with applicable government record-keeping requirements. Requests affecting security clearance information, background investigation results, or threat intelligence data are subject to additional verification procedures and may require coordination with appropriate government authorities.

The right to erasure is subject to overriding national security retention requirements, government contract provisions, and intelligence oversight mandates. Erasure will not be processed where personal data is required for ongoing threat detection or incident response activities, must be retained pursuant to government audit or oversight requirements, constitutes evidence in actual or potential legal proceedings, is necessary for security clearance verification or background investigation purposes, or is subject to mandatory retention periods established by applicable law or government directive.

Processing Restrictions and Objection Rights

Individuals may request restriction of processing activities where accuracy is legitimately contested and verification is pending, processing is unlawful but erasure is prohibited by national security requirements, data is no longer required for operational purposes but must be retained for legal proceedings, or objection to processing is pending verification of overriding legitimate grounds. Restricted data remains subject to appropriate security controls and may continue to be processed for national security purposes authorized by government directive, protection of critical infrastructure systems, compliance with applicable legal obligations, or establishment, exercise, or defense of legal claims.

Individuals possess the right to object to processing based on legitimate interests where such interests are not overridden by national security requirements, government contractual obligations, or critical infrastructure protection needs. Objections to processing for direct marketing purposes will be honored immediately. Objections to security-related processing are evaluated through formal balancing tests considering the severity and immediacy of identified threats, the potential impact on critical infrastructure protection, obligations to government contracting authorities, and applicable national security directives.

Exercise Procedures and Verification Requirements

All rights requests must be submitted through secure channels with appropriate identity verification and security clearance confirmation. Requests are processed only where requester identity is verified through government-approved authentication mechanisms, requester possesses appropriate security clearance for accessing requested information, disclosure would not compromise classified information or national security interests, and processing is technically feasible within applicable security constraints. Unverifiable requests will not be processed.

Verified requests will be processed within timeframes required by applicable law, typically thirty days, unless extended by the complexity of requests involving classified information, coordination requirements with government authorities, technical constraints affecting data retrieval from secure systems, or overriding national security interests requiring extended processing periods. Requesters will be notified of any extensions and provided with status updates throughout the processing period.

All rights exercise activities are conducted with explicit recognition that cybersecurity operations supporting national security interests may require prioritization of collective security objectives over individual data subject rights where such prioritization is authorized by applicable legal frameworks and government directives. Individuals retain the right to lodge complaints with competent supervisory authorities regarding processing activities, with additional recourse through appropriate contracting officers, agency inspectors general, and congressional oversight committees where applicable to government contracts.

7. Policy Governance and Administrative Framework

Administrative Authority and Jurisdictional Framework

This Data Privacy Declaration is administered by CypSec Group as the authoritative framework governing all personal data processing activities conducted in support of cybersecurity operations. The Declaration establishes uniform protection standards across all operations while recognizing that specific government contracts, classified agreements, and national security directives may impose additional requirements that supersede general provisions where mandated by applicable law or overriding security interests.

In circumstances where conflicting requirements arise between this Declaration and government contract provisions or procurement regulations, national security directives and classified handling procedures, international treaties or bilateral agreements, intelligence oversight mandates, or emergency directives for critical infrastructure protection, the most protective applicable standard that satisfies government security requirements shall prevail. All conflicts are resolved through formal legal review with appropriate government coordination where classified information is involved.

Technical Implementation and Tracking Technologies

CypSec utilizes cookies and comparable tracking technologies exclusively for maintaining secure authentication sessions and preventing unauthorized access, threat detection and anomaly identification within customer environments, performance monitoring of security infrastructure and response systems, and compliance verification with government security requirements. Essential cookies necessary for secure platform operation are deployed without individual consent. Non-essential tracking technologies are implemented only where explicitly authorized by applicable law and subject to appropriate security oversight mechanisms.

All technical implementations utilize government-approved encryption standards and are conducted through secure communication channels meeting applicable classification requirements. Tracking data is retained according to established schedules aligned with national security retention requirements and government audit obligations, with access strictly limited to personnel possessing appropriate security clearances and need-to-know authorization.

Age Restrictions and Minor Protection Protocols

CypSec services are designed for and restricted to authorized government personnel, cleared contractors, validated commercial entities operating within approved security frameworks and individuals in need for privacy-preserving technologies. The Company does not knowingly collect personal data from individuals under sixteen years of age. Where inadvertent collection is detected, such data will be immediately deleted unless retention is mandated by ongoing threat investigations, security incident response requirements, government audit or oversight obligations, applicable legal retention mandates, or national security interests requiring continued processing.

All age verification procedures are implemented through secure authentication mechanisms that verify authorization to access classified systems and sensitive information. Processing activities involving minors are subject to enhanced oversight and immediate review by appropriate government authorities and contracting officers.

Policy Modification and Update Procedures

This Declaration may be updated to reflect modifications in applicable data protection legislation or government procurement regulations, enhancements to security technologies and threat detection capabilities, changes in contract requirements or classification guidelines, developments in international data transfer mechanisms, or operational requirements for enhanced cybersecurity capabilities. Updated versions are disseminated through secure notification channels.

Significant modifications affecting international data transfer mechanisms, government oversight or audit procedures, security classification handling requirements, limitation of liability or warranty provisions, or dispute resolution procedures for government contracts, will be communicated through formal contract modification processes with appropriate advance notice as required by applicable procurement regulations. All material changes require acknowledgment by authorized government representatives before implementation.

Governance Structure and Regulatory Compliance

CypSec maintains comprehensive governance mechanisms including appointment of qualified Data Protection Officers with appropriate security clearances for handling classified information, establishment of government liaison offices for coordination with contracting authorities, implementation of formal review procedures for all policy modifications affecting government contracts, maintenance of oversight committees with representation from legal, security, and government relations functions, and coordination with appropriate supervisory authorities and intelligence oversight bodies as required by applicable law.

Where required by applicable law, CypSec designates representatives within relevant jurisdictions in accordance with Articles 27 and 37 of the General Data Protection Regulation. All representatives maintain appropriate security clearances and are authorized to coordinate with supervisory authorities on matters involving classified information, facilitate rights exercise procedures subject to national security limitations, manage breach notification processes with appropriate government coordination, and serve as liaison points for regulatory inquiries requiring security clearance verification.

This Declaration operates as the definitive governance framework for all personal data processing activities, superseding all prior policies, procedures, and informal practices. All processing activities are conducted with explicit recognition that protection of national security interests and critical infrastructure may require prioritization of collective security objectives over individual preferences where such prioritization is authorized by applicable legal frameworks and government directives.