Managed UTM and Hosted Managed UTM Privacy Statement
Redscan Cyber Security Limited (“Redscan”) collects and processes personal data for the purposes of providing support for its Managed UTM services (“UTM Services”), including Hosted Options. This privacy notice is designed to inform you about the data we collect, what we use it for and your rights regarding the use of this data.
Who is Redscan?
Redscan provides cyber security services to a wide range of organisations. We are committed to protecting the personal data we hold.
Personal data
Under the EU’s General Data Protection Regulation (GDPR) personal data is defined as:
“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Why does Redscan collect and process personal data?
Redscan collects personal data for the following reasons:
- To maintain a list of authorised users, including email addresses and phone numbers, on its support.redscan.com ticket system (“Ticket System”), in order to support its UTM Services
- To assist with account management and billing
Redscan is committed to ensuring that the information we collect and use is appropriate for these purposes and does not constitute an invasion of your privacy.
What personal data do we process?
The personal data we may collect and process through your use of our UTM Services includes:
- Name and job title
- Company name
- Email address
- Telephone number
- Postal address
- IP address
- Browser ID
Any additional personal data that you chose to share with us will also be processed.
The collection and processing of this data is considered to be a legitimate interest, as defined in Recital 49 of the GDPR.
Cookies
Like most online businesses, Redscan uses web cookies to improve user experience. Cookies are small files that are placed on your system and assist Redscan in understanding how individuals use our website and systems. Cookies can be refused but may affect Redscan’s ability to deliver certain functionality.
Indirect personal data collection
In addition to personal data relating to users of the Ticket System, log files will also be collected in the course of the day-to-day operation of the UTM services. The data in these log files may consist of the contents of emails scanned by the Service Delivery Platform (“SDP”) or web access where the URL contains personal data. The specific data that may be collected is outside the control of Redscan. Emails scanned and quarantined by the UTM services will be stored for an indeterminate length of time as the deletion process is defined by the amount of remaining disk space available on the SDP.
Security of personal data
All personal data processed by Redscan is protected by appropriate controls, including:
- Encryption to secure data in transit and at rest
- Access controls to ensure only appropriate staff have access to data
- Audit and logging controls
- Data backup
- Physical security and access control (for Redscan hosted systems)
- Environmental protection (for Redscan hosted systems)
Redscan’s Information Security Management System is ISO 27001 certified to provide external auditing of our information security policies and processes.
Lawfulness of processing
Under Article 6 of the GDPR, any organisation that processes personal data must have a lawful basis for doing so. All data processed by Redscan for the provision of the UTM Services is done so as it is required for the performance of a contract or prior to entering into a contract. Redscan is the controller for account information stored on the Ticket System.
Other processing such as marketing is covered by a separate privacy notice.
Retention period
Redscan will only retain the data for as long as it is required to provide the service or to meet its legal and regulatory requirements.
Third parties
Redscan will not pass your data to third parties unless this is required for providing support, this may include passing contact details for hardware support to vendors as required.
Your rights as a data subject
At any point while we are in possession of or processing personal data, a data subject, has the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply to have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
- Right to judicial review: in the event that Redscan refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain (as outlined in the Complaints section below).
Policy updates
From time to time, Redscan may update this privacy notice to reflect changes to the personal data we process or for other operational, legal or regulatory reasons.
The date at the bottom of this notice indicates when the notice was last updated.
Complaints
In the event that you wish to make a complaint about how your personal data is processed by Redscan, email us at dataprotection@redscan.com
If you unhappy about how a complaint has been handled by Redscan, you have a right to lodge a complaint directly with the Information Commissioner’s office in the UK (www.ico.org.uk) or your local supervisory authority.
Updated 11th May 2018