Privacy Policy
This policy explains what personal information SEC.co collects, why we collect it, how we use and protect it, and the rights you have over your information. We collect as little as we need, never sell personal data, and protect what we hold the way we protect our clients.
01Scope of This Policy
This Privacy Policy describes how SEC.co (“SEC.co,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards personal information in connection with our website at sec.co (the “Site”), our cybersecurity advisory, managed-security, incident-response, and testing services (collectively, the “Services”), and any related communications.
This Policy applies to information about website visitors, prospective clients, client personnel who interact with us, event attendees, newsletter subscribers, and job applicants. It does notgovern our processing of client data that we handle as a service provider or processor in the course of delivering the Services — that processing is governed by the applicable Master Services Agreement, Statement of Work, and Data Processing Addendum (“DPA”) executed with the client.
02Information We Collect
Information you provide to us
- Contact and inquiry data — name, business email, company, role, team size, and the contents of any message you submit through our contact form, an assessment request, or email.
- Engagement data — information exchanged while scoping or delivering Services, including points of contact, environment descriptions, and project correspondence.
- Recruitment data — if you apply for a role, your CV/resume, work history, and any information you choose to provide.
- Marketing preferences — newsletter subscriptions and event registrations.
Information collected automatically
- Device and usage data — IP address, browser type, operating system, referring URLs, pages viewed, and timestamps, collected through server logs and privacy-respecting analytics.
- Cookies and similar technologies — see Cookies & Tracking below.
Information from third parties
- Business contact databases and referrals — we may receive your business contact details from partners, mutual contacts, or publicly available professional sources.
- Service providers — analytics, email delivery, and security vendors that support our operations.
We do not intentionally collect special categories of personal data (such as health, biometric, or government-identifier data) through the Site, and we ask that you do not submit such information through our forms.
03How We Use Information
We use personal information to:
- Respond to inquiries, scope engagements, and provide the Services;
- Operate, maintain, secure, and improve the Site and Services;
- Communicate about engagements, security matters, and service updates;
- Send marketing communications where permitted, subject to your right to opt out;
- Evaluate job applications;
- Detect, investigate, and prevent fraud, abuse, and security incidents;
- Comply with legal obligations, enforce our agreements, and establish, exercise, or defend legal claims.
We do not sell personal information, and we do not use the contents of client engagement communications for advertising.
04Legal Bases for Processing (EEA/UK)
Where the EU or UK General Data Protection Regulation applies, we process personal data on the following legal bases:
- Contract — to take steps at your request before entering into, and to perform, an engagement.
- Legitimate interests — to operate and secure our business, understand how the Site is used, and pursue business development, balanced against your rights.
- Consent — for non-essential cookies and certain marketing, which you may withdraw at any time.
- Legal obligation — to comply with applicable law, including tax, accounting, and security-incident obligations.
06Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including to satisfy legal, accounting, security, or reporting requirements, and to establish or defend legal claims. Retention periods vary by data type and context — for example, inquiry data is generally retained for the duration of our business relationship plus a reasonable period thereafter, and recruitment data is retained only as long as needed to evaluate your application unless you consent to a longer period. When information is no longer required, we delete or de-identify it.
07How We Protect Information
Security is our profession. We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, loss, misuse, and alteration, including encryption in transit and at rest, least-privilege access controls, multi-factor authentication, continuous monitoring, and a documented incident-response program. For details, see our Security page. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
08International Data Transfers
SEC.co operates from the United States, and our infrastructure and personnel are U.S.-based. If you access the Site or engage with us from outside the United States, your information may be transferred to, stored in, and processed in the United States and other jurisdictions that may have different data-protection laws than your own. Where required, we rely on appropriate transfer mechanisms, such as the European Commission’s Standard Contractual Clauses, to protect personal data transferred internationally.
09Your Privacy Rights
Depending on where you live, you may have the right to access, correct, delete, or port your personal information; to object to or restrict certain processing; and to withdraw consent. These rights are subject to legal limitations and exceptions.
EEA/UK residents
You may exercise the GDPR rights described above and have the right to lodge a complaint with your local supervisory authority.
California residents (CCPA/CPRA)
You may request disclosure of the categories and specific pieces of personal information we have collected, request deletion, request correction, and opt out of any “sale” or “sharing” of personal information. We do not sell or share personal information as those terms are defined under the CPRA. We will not discriminate against you for exercising your rights.
To exercise any right, contact us at privacy@sec.co. We will verify your request and respond within the timeframes required by applicable law. You may use an authorized agent where permitted.
11Children’s Privacy
The Site and Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, contact us and we will delete it.
12Third-Party Links
The Site may contain links to third-party websites and services that we do not control. This Policy does not apply to those properties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third party you visit.
13Changes to This Policy
We may update this Policy from time to time. When we make material changes, we will revise the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the Site after an update constitutes acceptance of the revised Policy.
Contact Us
For privacy questions, requests, or complaints, contact our privacy team at privacy@sec.co, or write to us at SEC.co, Privacy Office. We will respond as promptly as practicable and within the timeframes required by applicable law.