This Privacy Policy outlines how Cypherdote ("we," "us," "our") collects, processes, stores, secures, and manages personal and organizational data collected through the Cypherdote Advanced Phishing Simulator ("CAPS"). By subscribing to or using CAPS, you ("Client") agree and consent to the practices detailed in this Privacy Policy.
1. Information Collection and Processing
Cypherdote collects and processes various categories of data essential for providing our services effectively. This includes organizational information such as your organization's name, contact details, billing data, administrative contacts, subscription information, and your purchase history. Additionally, we collect employee-related information, which includes email addresses, names, roles within your organization, and their interactions and responses during simulated phishing campaigns. In simulations employing an intrusive mode—where explicit consent is secured from participants—additional data may include camera images, audio recordings, clipboard contents, keystrokes, geographic location, device and browser specifications, IP addresses, and other relevant technical data.
2. Purpose and Use of Collected Data
The data collected through CAPS is solely intended for delivering phishing simulation services, preparing analytical reports aimed at enhancing cybersecurity awareness, and identifying potential vulnerabilities within your organization. Furthermore, collected data facilitates the administrative, billing, and technical support operations, and is used internally to continually improve our services and offerings.
3. Data Security and Storage
All collected data is securely stored and processed on dedicated servers located within India. We uphold rigorous security standards and employ advanced protective measures including data encryption, comprehensive firewall configurations, strict Role-Based Access Control (RBAC), regular security audits, and ongoing vulnerability assessments to ensure data confidentiality, integrity, and availability.
4. Data Retention Practices
Cypherdote retains client and employee data in accordance with its defined retention timelines. Clients retain full autonomy and control, with the ability to independently delete or export their data at any time through the provided administrative interface. When a client deletes data, it is removed from active systems but retained in an archived state for 60 days before permanent deletion. Data not deleted by the client will be automatically archived after 120 days of inactivity and permanently deleted 60 days thereafter. Add-on credits purchased by clients retain indefinite validity.
5. Third-Party Data Sharing and Disclosure
Cypherdote maintains a strict policy against the sharing, selling, renting, or disclosure of client or employee data to any third parties under any circumstances. Exceptions to this policy are made solely in cases mandated by law or ordered by legally competent authorities, upon which the client will be promptly notified.
6. Consent for Employee Data Collection
Clients are obligated to obtain explicit informed consent from their employees before initiating any phishing simulation activities involving intrusive data collection methods. To assist with compliance, Cypherdote provides templates and detailed best practices to ensure clarity and transparency during the consent acquisition process.
7. Client Rights Regarding Data
Clients retain the right to access, view, export, modify, correct, and delete their organizational and employee data stored within the CAPS platform. Cypherdote ensures these rights are fully supported through accessible tools and comprehensive administrative capabilities provided within the CAPS interface.
8. Incident Management and Data Breach Response
Cypherdote adheres to proactive incident management protocols designed to swiftly address any data security incidents or unauthorized data access events. In the event of a security breach, Cypherdote commits to notifying affected clients within 72 hours of breach detection, followed by an immediate and thorough investigation and the implementation of necessary corrective measures.
9. Modifications to Privacy Policy
Cypherdote reserves the right to periodically revise or update this Privacy Policy. Clients will be informed in advance of any significant changes to the policy. Continued use of CAPS after such policy updates implies acknowledgment and acceptance of the revised Privacy Policy terms.
10. Contact Information
For questions, concerns, or requests regarding this Privacy Policy or data management practices, please contact Cypherdote directly via email at [email protected].
Your continued use and subscription to CAPS signify that you have read, fully understood, and agreed to abide by this Privacy Policy.