1. PURPOSE OF THIS POLICY

The purpose of this document is to ensure that data subjects (individuals) are adequately informed about the collection and use of their personal data by Searchlight in its capacity as a Data Controller.

Ensuring data subjects are informed correctly can help Searchlight to comply with other aspects of the GDPR and build trust with people but getting it wrong can leave Searchlight open to fines and lead to reputational damage.

2. THE POLICY

The GDPR is more specific about the information that Data Controllers need to provide to people about what they do with their personal data. Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

Data Controllers shall actively provide this information to individuals in a way that is easy to access, read and understand.

If you are processing personal information, on behalf of Searchlight, as a Data Controller, you shall: –

• Provide individuals with information including (but not limited to): – the purposes for processing their personal data, the retention periods for that personal data, and who it will be shared with. We call this a ‘privacy notice’.
• Provide privacy notice information to individuals at the time you collect their personal data from them.
• If you obtain personal data from other sources, provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

There are a few circumstances when Searchlight does not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

The information Searchlight provides to people will be concise, transparent, intelligible, easily accessible, and it shall use clear and plain language.

We shall regularly review, and where necessary, update our privacy information. We shall bring any new uses of an individual’s personal data to their attention before we start the processing.

2.1 What we shall provide

Searchlight shall provide individuals with all the following privacy information: –

• The name and contact details of our organisation.
• The contact details of our data protection officer/representative.
• The purposes of the processing.
• The lawful basis for the processing.
• The legitimate interests for the processing (if applicable).
• The categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
• The recipients or categories of recipients of the personal data.
• The details of transfers of the personal data to any third countries or international organisations (if applicable).
• The retention periods for the personal data.
• The rights available to individuals in respect of the processing.
• The right to withdraw consent (if applicable).
• The right to lodge a complaint with a supervisory authority.
• The source of the personal data (Note: this is only applicable if the personal data is not obtained from the individual it relates to).
• The details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if the personal data is collected from the individual it relates to).
• The details of the existence of automated decision-making, including profiling (if applicable).

2.2 When we shall provide it

Searchlight shall provide individuals with privacy information at the time we collect their personal data from them.

If we obtain personal data from a source other than the individual it relates to, we shall provide them with privacy information: –

• within a reasonable of period of obtaining the personal data and no later than one month;
• if we plan to communicate with the individual, at the latest, when the first communication takes place; or
• if we plan to disclose the data to someone else, at the latest, when the data is disclosed.
• Searchlight’s Internal Privacy Notice shall be provided to our employees and contractors and shall not be included in the Company’s External Privacy Notice.

2.3 How we shall provide it

Searchlight shall provide the information in a way that is: –

• concise;
• transparent;
• intelligible;
• easily accessible;
• clear and plain; and
• “Layer” the Policy where possible.

2.4 Changes to the information

Searchlight shall regularly review and, where necessary, update our privacy information.

If we plan to use personal data for a new purpose, we shall update our privacy information and communicate the changes to individuals before starting any new processing.

Approval of Searchlight Privacy Notices

All Searchlight Privacy Notices shall be approved by the CEO.

 

2.5.1Further Guidance

Please refer to the following for further guidance: –

• https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/
• https://ico.org.uk/media/for-organisations/documents/1625136/good-and-bad-examples-of-privacy-notices.pdf\

3. DEFINITIONS

Data Controller – the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Personal data – any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

 

 

ANNEX A – SEARCHLIGHT Cyber PRIVACY NOTICE

 

A1. INTRODUCTION

Searchlight Cyber Ltd (Searchlight) is a clear, deep and dark web intelligence company that works with law enforcement, industry and end users to help protect against the threats of the darknet.

Searchlight offers the following Solutions and Services:

 

A1.1 Solutions

• Cerberus platform
• DarkIQ platform

A1.2 Services

• Platform monitoring and maintenance
• Forensic Support

These solutions and services are supported by a range of capabilities to further assist our customers, and additional solutions, products and services are under constant development.

A1.3 Terminology

Below is some quick guidance on terminology to help you clearly understand this notice: –

• Personal information is any information relating to an identified or identifiable living person.
• The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal information are, or are to be, processed. In the context of this Policy, Searchlight is the Data Controller.

 

A2. SECURITY

Searchlight is committed to protecting your personal information and privacy. We are certified to an internationally recognised security standard (ISO/IEC 27001), with a UKAS accredited body.

We have security measures in place designed to prevent the loss of data, preserve data integrity, and to control access to the data and know that ensuring the accuracy and security of your personal information is essential to retaining your confidence and trust.

 

A3. PURPOSE OF THIS PRIVACY NOTICE

The purpose of this privacy notice is to describe, in cases where Searchlight is the Data Controller, why and how we collect and use your personal information and to provide information about your rights. It applies to personal information provided to us, both by individuals themselves or by others. We may use personal information provided to us for any of the purposes described in this privacy notice or as otherwise stated at the point of collection.

When collecting and using personal information, our policy is to be fair, lawful and transparent about why and how we process personal information.

To find out more about our specific processing activities, please go to the relevant sections of this notice.

 

A4. What we do with your Personal Information

A4.1 What we do with your Personal Information – If you are a Customer/End User

We use your data for the following purposes to enable us to deliver our services to you in the most effective way.

 

A4.1.1 MySQL

Customer login information is stored in a MySQL database that is held in the United Kingdom or EU. Data held includes the following:

• Username
• Company
• Email address
• Hashed password

A4.1.2 HUBSPOT.com

HubSpot.com is used to record customer leads and contact details. All the information is held in HubSpot’s cloud. HubSpot’s security policy can be found on its website. The information held on customers includes the following:

• Customer name and business details
• Conversations with Searchlight Cyber
• Contact details
• Company notes produced by Searchlight Cyber

A4.1.3 OwnCloud

OwnCloud is used for the company file storage. OwnCloud is hosted on Searchlight Servers in the United Kingdom. Information held on customers includes:

• Contracts and Agreements with Searchlight Cyber
• Contact details

A4.1.4 Gmail

Google hosts the company’s email accounts and as such any correspondence with customers. Google’s security policy can be found on its website. Information held on customers includes:

• Customer name and business details
• Conversations with Searchlight Cyber
• Contact details

A4.1.5 Xero

Xero is used for accounting and Invoicing. Customer data is held and secured by Xero.com more information can be found athttps://www.xero.com/uk/why-xero/benefits/security/. Data held includes:

• Customer names
• Customer contact details including work address and email
• Customer orders

A4.1.6 Other Uses

We also use your data for the following purposes:-

• To identify if you have notified us that you do not wish to be contacted and/or receive direct marketing information regarding our services and activities;
• Unless we have identified you do not wish to receive marketing information, as per above – to contact you directly in the future regarding our services, campaigns and/or events (i.e. via postal and electronic marketing);
• To send you newsletters regarding the Company’s activities.
• To create publicity materials to promote the Company’s activities – for inclusion on/in our or other website(s), social media, press articles and/or case studies);
• For use in our internal publications;
• For financial reporting;
• For external use such as Annual Review.

A4.1.7 Our legal basis for using your personal information

The processing of your personal information is based upon the lawful basis of:- Contract. In contracting with us you give us permission to process and hold your information for the purposes of completing our contractual obligations. The proprietary rights and data are given in our standard End User License Agreement (EULA). The below is from the standard EULA on our data policy

1. The Licensor owns all right, title and interest, including all intellectual property rights, in and to The Software, and all Modifications thereto.
2. The User agrees to allow The Licensor and its Affiliates to store and use User and Company business contact information, including User names, business phone numbers, and business e-mail addresses, that is provided by The User to The Licensor.
3. Company will at all times comply in full with the requirements of any applicable privacy and data protection laws (including where applicable, Regulation 2016/679, the General Data Protection Regulation, and 2002/58/EC and any national implementation(s) of them) to which it is subject as a Data Controller (“Applicable Privacy Law(s)”). The Licensor will process the Data in accordance with Company’s instructions under Applicable Privacy Law(s) and will not: (a) assume any responsibility for determining the purposes for which and the manner in which the Data is processed, or (b) process the Data for its own purposes.
4. In the course of providing The User with the services contemplated in the EULA, The Licensor may collect, use, process and store diagnostic and usage related content from the computer, mobile phone or other devices the User uses to access the Software. This may include, but is not limited to, IP addresses and activity record.

 

A4.1.8 Who we may share your personal information with

We may share your information with Searchlight technology providers who we engage to support our operations and/or host our data.

 

A4.1.9 The transfer of your personal information to a Country or International Organisation outside of the European Union

We do not intend to transfer your personal information to any countries or International Organisations outside of the European Union.

A4.1.10 How long we keep hold of your data

We retain the personal information processed by us, only for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for your personal information and other documents is 6 months. Specific retention periods are given in the Searchlight Record of Processing.

A4.1.11 Statutory or Contractual Requirement

The provision of your personal information is not a statutory or contractual requirement, or a requirement necessary to enter into a contract, nor are you obliged to provide the personal information.

A4.1.12 Automated Decision Making & Profiling

We do not make any decisions in relation to your personal information, solely by automated means without any human involvement (e.g. we do not conduct automated decision making).

Neither do we conduct any automated processing of personal information to evaluate certain things about you (e.g. we do not conduct profiling).

 

A4.2 What we do with your Personal Information – If you are a Job Applicant

We use your data for the following purposes to enable us to process applications and make decisions about applicants in the most effective way.

 

A4.2.1 OwnCloud

OwnCloud is used for the company file storage. OwnCloud is hosted on Searchlight Servers in the United Kingdom. Information held on job applicants includes:

• Contact details
• Role/s applied for and selection process information/decision

A4.2.2 Gmail

Google hosts the company’s email accounts and as such any correspondence with job applicants. Google’s security policy can be found on its website. Information held on job applicants includes:

• Name and role/s applied for
• Conversations with Searchlight Cyber
• Contact details

A4.2.3 BambooHR

BambooHR is used for the company file storage. BambooHR is a Software as a Service application hosted on the Internet. Information will be stored on BambooHR regarding job applicants including:

• Contact details
• All information sent by the applicant to Searchlight
• Role/s applied for and selection process information/decision

A4.2.4 Our legal basis for using your personal information

The processing of your personal information is based upon the lawful basis of consent.

In applying for a position with us, you consent to us processing and holding the required data for the purpose of managing your application.

A4.2.5 Who we may share your personal information with

We may share your information with Searchlight technology providers who we engage to support our operations and/or host our data.

A4.2.6 The transfer of your personal information to a Country or International Organisation outside of the European Union

We do not intend to transfer your personal information to any countries or International Organisations outside of the European Union.

A4.2.7 How long we keep hold of your data

We retain the personal information processed by us, only for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for your personal information and other documentary created is 6 months. Specific retention periods are given in the Searchlight Records of Processing.

A4.2.8 Statutory or Contractual Requirement

The provision of your personal information is not a statutory or contractual requirement, or a requirement necessary to enter into a contract, nor are you obliged to provide the personal information.

A4.2.9 Automated Decision Making & Profiling

We do not make any decisions in relation to your personal information, solely by automated means without any human involvement (e.g. we do not conduct automated decision making).

Neither do we conduct any automated processing of personal information to evaluate certain things about you (e.g. we do not conduct profiling).

 

A4.3 What we do with your Personal Information – If you are a ‘Other’

For ‘other’ people, including prospective customers, we use your data for the following purposes to enable us to deliver our services to you in the most effective way.

 

A4.3.1 HUBSPOT.com

HubSpot.com is used to record customer leads and contact details. All the information is held in HubSpot’s cloud. HubSpot’s security policy can be found on its website. The information held on prospective customers includes the following:

• Customer name and business details
• Conversations with Searchlight Cyber
• Contact details
• Company notes produced by Searchlight Cyber

A4.3.2 OwnCloud

OwnCloud is used for the company file storage. OwnCloud is hosted on Searchlight Servers in the United Kingdom. Information held on prospective customers includes:

• Name and current role
• Conversations with Searchlight Cyber
• Contact details

A4.3.3 Gmail

Google hosts the company’s email accounts and as such any correspondence with individuals. Google’s security policy can be found on its website. Information held on customers includes:

• Name and current role
• Conversations with Searchlight Cyber
• Contact details

A4.3.4 Other Uses

We also use your data for the following purposes:-

• To identify if you have notified us that you do not wish to be contacted and/or receive direct marketing information regarding our services and activities;
• Unless we have identified you do not wish to receive marketing information, as per above – to contact you directly in the future regarding our services, campaigns and/or events (i.e. via postal and electronic marketing);
• To send you newsletters regarding the Company’s activities.
• To create publicity materials to promote the Company’s activities – for inclusion on/in our or other website(s), social media, press articles and/or case studies);
• For use in our internal publications;
• For financial reporting;
• For external use such as Annual Review.

A4.3.5 Our legal basis for using your personal information

The processing of your personal information is based upon the lawful basis of legitimate interest. The processing is necessary for our legitimate interests.

A4.3.6 Who we may share your personal information with

We may share your information with Searchlight technology providers who we engage to support our operations and/or host our data.

A4.3.7 The transfer of your personal information to a Country or International Organisation outside of the European Union

We do not intend to transfer your personal information to any countries or International Organisations outside of the European Union.

A4.3.8 How long we keep hold of your data

We retain the personal information processed by us, only for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for your personal information and other documentary created is 6 months. Specific retention periods are given in the Searchlight Records of Processing.

A4.3.9 Statutory or Contractual Requirement

The provision of your personal information is not a statutory or contractual requirement, or a requirement necessary to enter into a contract, nor are you obliged to provide the personal information.

A4.3.10 Automated Decision Making & Profiling

We do not make any decisions in relation to your personal information, solely by automated means without any human involvement (e.g. we do not conduct automated decision making).

Neither do we conduct any automated processing of personal information to evaluate certain things about you (e.g. we do not conduct profiling).

 

A5. SEARCHLIGHT’S CONTACT DETAILS

The Data Controller is Searchlight (registered in England under Reg No: 10765196 and with its registration address at Pure Offices, Port Solent).

If you have any questions about this privacy policy or how and why we process personal information, please contact us via the email below:

The Data Protection Officer/Representative

Email: enquiries@slcyber.io

 

A6. YOUR RIGHTS

Under certain circumstances, you have the rights under data protection laws in relation to your personal information. These rights are summarised below but if you would like more information on these rights, please go to theICO’s website. Additionally, if you wish to exercise any of these rights listed below, please contact us using any of the contact details provided above.

A6.1 Access to your personal information

You have a right of access to personal information held by us as a Data Controller. We will aim to respond to any requests for information promptly, and in any event within the legally required time limits (1 month under GDPR).

A6.2 Correcting your personal information

You have a right to request amendment(s) to your personal information. Wherever practically possible, once we are informed that any personal information processed by us is no longer accurate, we will make the necessary amendments based on the updated information.

A6.3 Restriction of Processing of your personal information

In certain circumstances, you have the right to request the restriction or suppression of your personal information. This effectively allows you to limit the way that we use your personal data.

A6.4 Object to Processing

In certain circumstances, you have the right to object to the processing of your personal information. This effectively allows you to ask us to stop processing your personal information.

Where we have told you that any use of information is based on ‘legitimate interest’, you can raise an objection to that use. When you make an objection, we’ll have up to one month to respond to you. We will stop using the information in this way unless we disagree that we should because of a compelling legal justification for continuing to use it. We’ll always tell you what the justification is.

You have a right at any time to stop us from contacting you for marketing purposes or giving your information to other parts of the Group and/or our Marketing Partners.

A6.5 Erasure (also known as “the right to be forgotten”)

In certain circumstances, you have the right to request the erasure of your personal information. More information on these circumstances is available athttps://gdpr.eu/right-to-be-forgotten/.

A6.6 Portability

In certain circumstances, you may have the right to obtain and reuse your own personal information that you provided to us, for your own purposes across different services. This data will be provided in a structured, commonly used and machine-readable format and we can transmit this data directly to other parties at your request.

A6.7 Withdrawal of consent

Where we process your personal information based on consent, you have a right to withdraw consent at any time.

If you would like to request to withdraw your consent, please contact us using the contact details above.

 

A7. HOW TO COMPLAIN

In the event you wish to complain about our use of your personal information, please send an email with the details of your complaint to enquiries@slcyber.io. We will look into and respond to any complaints we receive.

You also have a right to lodge a complaint with the Information Commissioner’s Office (ICO) (the UK’s data protection regulator). For further information on your rights and how to complain to the ICO, please refer to the ICO website:www.ico.org.uk.

 

A8. CHANGES TO OUR PRIVACY POLICY

We keep our privacy policy under regular review and we will place any updates on this web page.

If we believe that the changes are material, we’ll let you know by posting the changes on this website and sending you a message about the changes.