GDPR Compliance

Introduction

At CyberITEX, we are committed to protecting the privacy and security of personal data. This page outlines our approach to compliance with the General Data Protection Regulation (GDPR), which regulates the processing of personal data relating to individuals in the European Union (EU) and the European Economic Area (EEA).

As a Managed Security Service Provider (MSSP), we understand the importance of data protection and take our responsibilities under the GDPR seriously, both as a data controller for our own operations and as a data processor for our clients.

This policy was last updated on March 14, 2025.

Our GDPR Commitment

CyberITEX is committed to:

• Processing personal data lawfully, fairly, and transparently
• Collecting personal data only for specified, explicit, and legitimate purposes
• Limiting data collection to what is necessary for the purposes for which it is processed
• Ensuring personal data is accurate and kept up to date
• Retaining personal data only for as long as necessary for the purposes for which it is processed
• Processing personal data in a manner that ensures appropriate security
• Being accountable for and demonstrating compliance with these principles

Lawful Basis for Processing

CyberITEX processes personal data on the following lawful bases:

• Contractual Necessity: Processing necessary for the performance of our contracts with clients
• Legitimate Interests: Processing necessary for our legitimate interests or those of third parties, provided they are not overridden by the interests or rights of data subjects
• Legal Obligation: Processing necessary for compliance with our legal obligations
• Consent: Processing based on freely given, specific, informed, and unambiguous consent

The specific lawful basis for processing depends on the context and purpose of the processing activity.

Data Subject Rights

Under the GDPR, individuals have the following rights regarding their personal data:

• Right to Information: The right to be informed about the collection and use of their personal data
• Right of Access: The right to access their personal data and supplementary information
• Right to Rectification: The right to have inaccurate personal data rectified or completed if incomplete
• Right to Erasure: The right to have personal data erased in specific circumstances
• Right to Restrict Processing: The right to request the restriction or suppression of their personal data
• Right to Data Portability: The right to obtain and reuse their personal data for their own purposes across different services
• Right to Object: The right to object to processing based on legitimate interests, direct marketing, and research
• Rights Related to Automated Decision Making: Safeguards against the risk that a potentially damaging decision is made without human intervention

CyberITEX is committed to facilitating the exercise of these rights by data subjects. Requests can be submitted through our contact information provided at the end of this page.

CyberITEX as a Data Controller

As a data controller, CyberITEX processes personal data related to:

• Our clients and prospective clients
• Our employees and job applicants
• Visitors to our website and users of our client portal
• Marketing recipients and business contacts

For these processing activities, we:

• Maintain a record of processing activities
• Conduct data protection impact assessments where necessary
• Implement appropriate technical and organizational security measures
• Provide privacy notices at the point of data collection
• Have procedures in place to respond to data subject requests
• Report personal data breaches to supervisory authorities when required

CyberITEX as a Data Processor

As a Managed Security Service Provider, CyberITEX often acts as a data processor for our clients. In this role, we:

• Process personal data only on documented instructions from our clients
• Ensure that persons authorized to process personal data are under appropriate confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist our clients in fulfilling their obligations to respond to data subject requests
• Assist our clients with security measures, data breach notifications, and impact assessments
• Delete or return all personal data to the client at the end of the service provision
• Make available to our clients all information necessary to demonstrate compliance

These commitments are detailed in our Data Processing Agreement, which is part of our service contracts with clients.

International Data Transfers

CyberITEX primarily operates in the United States. When transferring personal data from the EU/EEA to the US or other countries not recognized as providing adequate protection, we implement appropriate safeguards:

• Using Standard Contractual Clauses (SCCs) approved by the European Commission
• Implementing additional technical and organizational measures as recommended by the European Data Protection Board
• Conducting transfer impact assessments to evaluate the risks associated with specific transfers
• Limiting transfers to what is necessary for the provision of our services

We continuously monitor developments in international data transfer requirements and update our practices accordingly.

Data Protection by Design and Default

CyberITEX implements data protection by design and default through:

• Integrating data protection considerations into our service development processes
• Minimizing the collection and processing of personal data
• Implementing privacy-enhancing technologies and techniques
• Applying strong encryption and access controls
• Setting privacy-friendly default settings in our systems and applications
• Conducting regular security assessments and tests

Data Protection Impact Assessments

CyberITEX conducts Data Protection Impact Assessments (DPIAs) when processing is likely to result in a high risk to the rights and freedoms of individuals, particularly when implementing new technologies or processing sensitive data on a large scale.

Our DPIA process includes:

• Systematic description of the processing operations and purposes
• Assessment of the necessity and proportionality of the processing
• Assessment of risks to the rights and freedoms of data subjects
• Measures to address the risks, including safeguards and security measures
• Consultation with relevant stakeholders, including data subjects where appropriate

Breach Notification

In the event of a personal data breach, CyberITEX will:

• Notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals
• Notify affected data subjects without undue delay when the breach is likely to result in a high risk to their rights and freedoms
• When acting as a data processor, notify our client (the data controller) without undue delay after becoming aware of a breach
• Document all breaches, including the facts, effects, and remedial actions taken

Data Protection Officer

CyberITEX has appointed a Data Protection Officer (DPO) who is responsible for:

• Monitoring compliance with the GDPR and other data protection laws
• Advising on data protection obligations and impact assessments
• Cooperating with supervisory authorities
• Acting as a contact point for data subjects and supervisory authorities

Our DPO can be contacted using the information provided at the end of this page.

Employee Training

CyberITEX ensures that all employees who process personal data:

• Receive regular training on data protection principles and requirements
• Understand their responsibilities regarding data protection
• Are aware of the company's policies and procedures
• Sign confidentiality agreements
• Follow security best practices

Compliance Documentation

CyberITEX maintains documentation to demonstrate GDPR compliance, including:

• Records of processing activities
• Data protection policies and procedures
• Data Processing Agreements with clients and sub-processors
• Records of data subject requests and responses
• Data breach records
• Security certifications and audit reports
• Data Protection Impact Assessments
• Staff training records

Working with Our Clients on GDPR Compliance

As a Managed Security Service Provider, CyberITEX helps our clients meet their GDPR obligations through:

• Security services that help protect personal data
• System configurations that support data protection by design and default
• Access controls and authentication mechanisms
• Encryption solutions for data at rest and in transit
• Assistance with data subject request fulfillment
• Breach detection and notification
• Guidance on GDPR requirements

We provide clear documentation of our security measures to help clients demonstrate their compliance.

Updates to Our GDPR Compliance Program

CyberITEX continuously reviews and updates our GDPR compliance program to:

• Incorporate regulatory guidance and case law
• Address evolving security threats
• Adapt to changes in our services and processing activities
• Improve our practices based on experience and feedback

We will inform clients of significant changes to our GDPR compliance program.

Contact Our Data Protection Officer

If you have any questions about our GDPR compliance or wish to exercise your data subject rights, please contact our Data Protection Officer: