Effective Date: January 01, 2025

​

Cyber5 is committed to protecting the privacy and security of personal data in accordance with the EU-U.S. Data Privacy Framework (DPF) and the UK Extension to the DPF. This policy outlines the purposes for which Cyber5 processes personal data, the types of data involved, and the safeguards in place to ensure compliance with applicable data protection laws.

​

1. Scope and Applicability

This policy applies to all personal data received by Cyber5 in the United States from the European Union, United Kingdom, or Switzerland in reliance on the DPF. It governs the handling of such data across all Cyber5 services, including managed cybersecurity, managed compliance, consulting, and risk assessment engagements.

​

2. Purpose of Data Processing

Cyber5 processes personal data solely for the purpose of delivering cybersecurity and compliance services to its clients. This includes:

• Monitoring and securing client networks, endpoints, and cloud environments.

• Performing risk assessments and compliance evaluations.

• Managing cybersecurity incidents and threat responses.

• Supporting client onboarding, service delivery, and technical support.

Cyber5 does not process HR, clinical trial, or consumer marketing data under the DPF.

​

3. Types of Personal Data Processed

Cyber5 may process the following categories of personal data on behalf of its clients:

• Client data: Names, email addresses, IP addresses, user IDs, and other identifiers necessary for service delivery.

• Organizational data: Logs, telemetry, and system metadata related to client infrastructure and user activity.

• Security event data: Information related to potential or actual cybersecurity threats, including indicators of compromise and incident response artifacts.

All data processd is limited to what is necessary for the performance of Cyber5’s contractual obligations.

​

4. Onward Transfers to Third Parties

Cyber5 may disclose personal data to third-party service providers (e.g., cloud infrastructure providers, security operations centers) strictly for the purposes outlined above. In such cases:

• Cyber5 ensures that third parties provide the same level of protection as required by the DPF.

• Third parties are contractually obligated to process data only for specified purposes and to notify Cyber5 if they can no longer meet DPF standards.

• Cyber5 remains liable under the DPF Principles if a third party processes personal data in a manner inconsistent with the Principles, unless Cyber5 proves it was not responsible for the event giving rise to the damage.

• ​

5. Data Security and Risk Management

Cyber5 implements a comprehensive cybersecurity program that includes:

• Defense-in-depth architecture with endpoint, network, and application-level protections.

• Data Loss Prevention (DLP) policies for email, cloud storage, and endpoint devices.

• Identity and access management, SIEM integration, and vulnerability monitoring.

• A formal risk management policy aligned with enterprise risk frameworks and reviewed regularly to reflect evolving threats.

• ​

6. Individual Rights and Contact

Individuals whose data is processed under the DPF have the right to access, correct, or delete their personal data. Requests should be directed to:
Email: privacy@cyber5.com
Mail: Cyber5, 18 Augusta Pines Drive, Suite 150E, Spring, TX 77389

 

Cyber5 will respond to all inquiries in accordance with DPF requirements and applicable data protection laws.