GDPR Compliance - SecGuard

Our Commitment to GDPR

SecGuard is fully committed to compliance with the European Union's General Data Protection Regulation (GDPR). We have implemented comprehensive measures to ensure that all personal data is processed lawfully, transparently, and securely.

🇪🇺 EU Data Residency Available

For customers in the European Economic Area (EEA), we offer data hosting within EU data centers to ensure full compliance with data residency requirements.

1. Legal Basis for Processing

We process personal data based on the following legal grounds:

Contract Performance: To provide our phishing simulation and training services
Legitimate Interest: To improve our service, ensure security, and prevent fraud
Consent: For marketing communications and optional features
Legal Obligation: To comply with applicable laws and regulations

2. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you. We will provide this in a structured, commonly used format within 30 days.

Right to Rectification

Correct any inaccurate or incomplete personal data. You can update most information directly in your account settings.

Right to Erasure

Request deletion of your personal data ("right to be forgotten"). We will comply unless we have legal grounds to retain the data.

Right to Restriction

Limit how we process your data in certain circumstances, such as while we verify accuracy or address objections.

Right to Portability

Receive your data in a machine-readable format and transfer it to another service provider.

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling grounds.

How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer:

Email: dpo@secguard.app

Subject Line: "GDPR Request - [Your Right]"

We will respond to your request within 30 days and may require identity verification to protect your data.

3. Data Processing Principles

We adhere to all GDPR data processing principles:

Principle	How We Comply
Lawfulness, Fairness, Transparency	Clear privacy notices, lawful processing bases, transparent data practices
Purpose Limitation	Data collected only for specified, legitimate purposes
Data Minimization	Collect only what's necessary to provide the service
Accuracy	Tools to update information, regular data quality checks
Storage Limitation	Retention policies, automatic deletion after account termination
Integrity & Confidentiality	Encryption, access controls, security audits, incident response
Accountability	Documentation, DPO appointment, DPIA processes, compliance records

4. Data Protection Measures

4.1 Technical Safeguards

AES-256 encryption at rest
TLS 1.3 encryption in transit
Multi-factor authentication
Role-based access controls (RBAC)
Regular security audits and penetration testing
Automated security monitoring and alerting
Secure software development lifecycle

4.2 Organizational Safeguards

Data Protection Officer (DPO) appointed
Privacy by design and by default
Data Processing Impact Assessments (DPIAs)
Staff training on data protection
Confidentiality agreements with employees
Vendor due diligence and data processing agreements
Incident response and breach notification procedures

5. International Data Transfers

When data is transferred outside the EEA, we ensure adequate protection through:

Standard Contractual Clauses (SCCs): EU-approved model contracts
Adequacy Decisions: Transfers to countries recognized by the EU Commission
EU Data Residency: Option to keep all data within EU borders
Supplementary Measures: Additional technical and organizational safeguards

6. Data Processing Agreement (DPA)

As a data processor for our customers, we provide a comprehensive Data Processing Agreement (DPA) that includes:

Details of processing activities and purposes
Security measures and obligations
Sub-processor list and approval process
Data subject rights assistance procedures
Breach notification commitments
Audit rights and compliance verification
Data return and deletion upon termination

Download DPA Template

7. Cookie Policy

We use cookies in compliance with GDPR and ePrivacy Directive:

Essential Cookies: Required for service functionality (no consent needed)
Analytics Cookies: Used with your consent to improve the service
Preference Cookies: Remember your settings and choices

You can manage cookie preferences through our cookie banner and browser settings.

8. Data Breach Notification

In the unlikely event of a data breach affecting personal data:

We will notify the relevant supervisory authority within 72 hours
Affected customers will be notified without undue delay
We will describe the nature of the breach and likely consequences
We will outline measures taken to address the breach
We maintain detailed breach logs and response documentation

9. Children's Privacy

Our service is not directed at children under 16. We do not knowingly collect personal data from children. If we discover that we have collected data from a child, we will delete it immediately.

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority if you believe we have violated GDPR. For EU customers, you may contact:

Your Local Data Protection Authority

Find your local authority: European Data Protection Board

11. Updates to GDPR Compliance

We continuously monitor GDPR developments and update our practices accordingly. Material changes will be communicated via email and posted on this page.

12. Contact Our Data Protection Officer

For any GDPR-related questions or requests:

Data Protection Officer: Sarah Mitchell

Email: dpo@secguard.app

Address: SecGuard Inc., Data Protection Office, 123 Security Boulevard, Suite 500, San Francisco, CA 94105, USA

EU Representative: SecGuard Europe Ltd., Dublin, Ireland

Last Updated: January 18, 2025
Version: 2.0