CyberDyn Security understands that it has a responsibility to protect and respect your privacy and look after your personal data.
This Privacy Notice explains how CyberDyn Security Limited collects, uses, stores and protects personal data and the rights available to individuals under UK data protection law.
For clarity, CyberDyn Security may be both data controller and data processor for your personal data under certain circumstances.
We may update this Privacy Notice from time to time. The latest version will always be published on our website.
This Privacy Notice explains your rights under UK data protection legislation.
1. Who are we?
CyberDyn Security Limited (“CyberDyn”, “we”, “us”, “our”) provides cyber security software and managed services to help organisations secure, manage, monitor, and maintain their IT environments.
Registered Address:
CyberDyn Security Limited
3 Cranwell Close
St. Albans
Hertfordshire
AL4 0SH
United Kingdom
Company registration number: 13394007
ICO registration number: ZB248009
Data Protection Officer
Steve Martin
Email: dpo@cyberdyn.co.uk
Phone: 01727 324210
CyberDyn Security may act as a Data Controller, Data Processor, or Joint Controller, depending on the service provided and the nature of the processing. This will be defined contractually where required.
2. Scope of This Privacy Notice
This Privacy Notice explains:
• What personal data we collect
• How we use personal data
• The lawful bases we rely upon
• Who we share personal data with
• How long we keep personal data
• Your rights under UK GDPR
• How to contact us regarding privacy matters
This Privacy Notice applies to users of our website, customers, prospective customers, suppliers, contractors, job applicants, and individuals whose personal data is processed through our services.
3. The Personal Data We Collect
We may collect and process the following categories of personal data:
Identity and Contact Data
• Name
• Job title
• Organisation name
• Business email address
• Telephone number
• Postal Address
Account and Billing Data
• Customer account details
• Invoices and payment records
• Contract information
Technical and Security Data
• IP addresses
• Device identifiers
• Operating system information
• Audit logs
• Authentication records
• Security event information
Communications Data
• Emails
• Support tickets
• Calls may be recorded for training, quality assurance, dispute resolution, security monitoring, fraud prevention and evidential purposes.
• Correspondence relating to enquiries, services and support
Recruitment Data
• Employment applications
• CVs and supporting recruitment information
• Right to work evidence
• References
• Criminal record information (where relevant)
Where criminal offence data is processed, CyberDyn Security Limited maintains an Appropriate Policy Document in accordance with Schedule 1 of the Data Protection Act 2018, which describes the lawful basis and conditions relied upon for processing, our procedures for securing compliance with the UK GDPR data protection principles, and our policies regarding the retention and secure deletion of criminal offence data.
We process recruitment information for the purposes of assessing suitability for employment, managing recruitment processes and complying with legal obligations relating to employment.
Our services are intended for business users and are not directed at children. We do not knowingly collect personal data relating to children through our website or services.
Website Information
When you visit our website we may automatically collect:
• IP addresses
• Browser type and version
• Device information
• Website usage information
• Cookie identifiers
• Referring website information
For further information please see our Cookie Policy.
4. Cyber ForCE Security Scanner
When using the Cyber ForCE Security Scanner, we may collect information entered into the scanner including:
• Company name
• User name
• Email address
• Computer name
The scanner may also collect technical information from the device being scanned, including:
• BIOS, manufacturer and device information
• Operating system version and build information
• Windows Update status
• AutoRun configuration
• BitLocker status
• Antivirus and endpoint protection status
• Firewall status
• Local administrator account information
• Network adapter and DNS configuration information
• Device management (MDM/Intune) status
• Installed software inventory
• Scan results and security assessment information
We process scan data for the purposes of:
• Assessing compliance with security standards
• Producing security reports
• Identifying vulnerabilities and configuration weaknesses
• Supporting remediation activities
• Providing cybersecurity consultancy services
• Monitoring service delivery and contractual performance
Scan data may contain personal data relating to employees, contractors, system users and administrators. Such information is processed only to the extent necessary to provide security assessment and remediation services.
We do not intentionally collect special category personal data through the Cyber ForCE Security Scanner. Where such information is incidentally encountered, processing will only occur where an applicable Article 9 UK GDPR condition applies and appropriate safeguards are in place.
Where special category personal data is processed, CyberDyn Security will rely upon an applicable condition under Article 9 UK GDPR and, where required, Schedule 1 of the Data Protection Act 2018.
Some scan results may identify individual users, administrators, devices or user accounts and may therefore constitute personal data under UK GDPR.
The Cyber ForCE Security Scanner performs automated analysis of technical configuration data. However, no decisions producing legal or similarly significant effects are made solely through automated means.
The scanner is intended solely for authorised business use. Users must ensure they have authority to assess the relevant systems and devices before performing scans.
Where customers submit scan data containing personal data, they remain responsible for ensuring transparency obligations under UK GDPR are met, including the provision of privacy information to affected employees, users or contractors where required.
Scan information may be transmitted, processed and stored within Microsoft 365 and Microsoft Power Platform environments operated by CyberDyn Security for the purpose of generating reports, delivering services and maintaining records.
5. Sources of Personal Data
We may obtain personal data:
• Directly from you
• From your employer or organisation
• From customers who engage our services
• Through our website
• Through software and services we provide
• From publicly available business sources
• From business referral partners
• From service providers used to deliver contracted services
Where personal data is obtained from third parties, we will provide individuals with the information required by Articles 13 and 14 of UK GDPR within the applicable statutory timescales unless an exemption applies, including where the provision of such information would involve a disproportionate effort, would render the processing impossible or seriously impair the achievement of the processing objectives, is required by law, or where another exemption under UK GDPR or the Data Protection Act 2018 applies.
In some circumstances personal data is required to enter into or perform a contract with us. If you do not provide information requested, we may be unable to provide services, respond to enquiries or fulfil contractual obligations.
Where personal data is obtained indirectly, categories may include business contact details, professional information, organisation details and publicly available business information.
6. Lawful Bases for Processing
We process personal data under one or more of the following lawful bases:
Processing Activity and Lawful Basis
| Purpose of Processing | Categories of Personal Data | Lawful Basis |
|---|---|---|
| Responding to enquiries and providing quotations | Identity and Contact Data | Legitimate Interests |
| Delivering contracted cybersecurity services | Identity, Contact, Account, Technical and Security Data | Contract |
| Management of customer accounts and service delivery | Identity, Contact, Account and Billing Data | Contract |
| Provision of Cyber ForCE Security Scanner reports and assessments | Identity, Contact and Technical Security Data | Contract and Legitimate Interests |
| Security monitoring, vulnerability assessment and protection of customer environments for the purposes of maintaining network and information security, detecting cyber threats and preventing unauthorised access to systems | Technical and Security Data | Legitimate Interests |
| Recruitment and employment administration | Recruitment Data | Contract, Legal Obligation and Legitimate Interests |
| Processing invoices and maintaining financial records | Account and Billing Data | Legal Obligation |
| Compliance with legal, regulatory or law enforcement requirements | Any relevant personal data | Legal Obligation |
| Business-to-business marketing communications | Identity and Contact Data | Legitimate Interests or Consent, depending on circumstances |
| Management of legal claims and dispute resolution | Any relevant personal data | Legitimate Interests and Legal Obligation |
| Call recording for training, security and dispute resolution | Communications Data | Legitimate Interests |
Marketing communications are conducted in accordance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR.
Contract
Where processing is necessary to provide products or services requested by you or your organisation.
Legal Obligation
Where processing is required to comply with legal, regulatory, taxation or accounting obligations.
Legitimate Interests
Where processing is necessary for our legitimate interests, including:
• Protect customer systems from cyber threats and unauthorised access
• Detect, investigate and prevent fraud, cybercrime and misuse of our services
• Provide cybersecurity assessments and recommendations
• Maintain network and information security
• Improve the effectiveness and reliability of our products and services
• Communicate with existing and prospective business customers regarding relevant cybersecurity services
Where we rely on legitimate interests, we undertake balancing assessments to ensure your rights are protected.
Copies of our legitimate interests assessments may be requested where appropriate and where disclosure does not adversely affect the rights of others.
Consent
Where consent is required, such as certain marketing communications or optional service features.
Consent may be withdrawn at any time.
7. How We Use Your Personal Data
We use personal data to:
• Deliver cybersecurity products and services
• Administer contracts
• Process payments
• Provide customer support
• Manage service accounts
• Communicate service updates
• Deliver security assessments
• Monitor security events
• Conduct audits and compliance activities
• Recruit employees and contractors
• Improve our products and services
• Maintain internal records
• Meet legal and regulatory obligations
Where lawful, we may also send marketing communications relating to products and services we believe may be relevant to your business.
Where we rely on consent, consent may be withdrawn at any time. Where we rely on legitimate interests for business-to-business marketing, individuals may object at any time.
You can opt out of marketing communications at any time.
8. Sharing Your Personal Data
We do not sell personal data.
We may share data with trusted third parties where necessary, including:
• Cloud hosting providers
• Managed service providers
• Infrastructure providers
• Cybersecurity technology partners
• Professional advisers
• Auditors
• Insurers
• Payment providers
• Regulatory bodies
• Courts and law enforcement agencies
Our primary technology providers may include Microsoft 365, Microsoft Azure, Microsoft Power Platform and other security technology suppliers used in the provision of contracted services.
All third parties are subject to contractual confidentiality and data protection obligations where required.
9. Sharing Scanner Information
Where the Cyber ForCE Security Scanner is used, scan data may be shared with:
• CyberDyn Security personnel providing services
• Microsoft 365 services
• Microsoft Power Automate services
• Customer-owned reporting systems
• Authorised recipients designated by the customer
• Security consultants and service providers involved in remediation activities
Such processing is performed only as necessary to deliver the agreed services.
10. Controller and Processor Status
Data Controller
CyberDyn Security Limited acts as Data Controller where we determine the purposes and means of processing personal data, including:
• Website enquiries
• Marketing activities
• Recruitment
• Customer administration
• Operation of CyberDyn-owned services
Data Processor
CyberDyn acts as a Data Processor when processing personal data solely on behalf of a customer and under documented instructions.
Where customers use the Cyber ForCE Security Scanner on their own systems, the customer will normally be the Data Controller for scan results.
Depending upon the service provided, CyberDyn and the customer may operate as:
• Independent Controllers
• Joint Controllers
• Controller and Processor
The applicable relationship will be documented within relevant contracts, service agreements or data processing agreements.
The essence of any Joint Controller arrangement will be made available upon request in accordance with Article 26 UK GDPR.
Where CyberDyn Security acts as a Joint Controller with another organisation, an arrangement will be established defining the respective responsibilities of each party for compliance with UK GDPR. Individuals may request a summary of the essential aspects of such arrangements.
11. International Data Transfers
Some service providers may process personal data outside the United Kingdom.
Where personal data is transferred internationally we implement appropriate safeguards including:
• UK International Data Transfer Agreements (IDTA)
• UK Addendum to EU Standard Contractual Clauses
• Adequacy Regulations issued by the UK Government
• Transfer Risk Assessments where appropriate
Details of current international transfers and applicable safeguards can be requested by contacting the Data Protection Officer.
Where transfers are made to the United States or other countries not subject to UK adequacy regulations, we implement appropriate safeguards and assess risks to individuals' rights and freedoms.
12. Security of Personal Data
We implement appropriate technical and organisational measures designed to protect personal data from unauthorised access, loss, misuse, alteration or disclosure.
Such measures may include:
• Access controls
• Multi-factor authentication
• Encryption
• Security monitoring
• Vulnerability management
• Backup procedures
• Audit logging
• Staff confidentiality obligations
• Information security policies and procedures
No system can be guaranteed to be completely secure. However, we continually review and improve our security arrangements.
13. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, including:
| Data Type | Retention Period |
|---|---|
| Customer Contracts | 7 years after termination |
| Financial Records | 6 years plus current tax year |
| Service Records | 7 years |
| Support Tickets | 3 years |
| Security Logs | 12 months |
| Scan Reports | 3 years unless a contract requires a longer retention period |
| Marketing Records | Until consent is withdrawn, an unsubscribe request is received, or after 24 months of inactivity |
| Unsuccessful Job Applications | 6 months |
| Call recordings | 12 months |
Where longer retention is required by law, regulation or legal proceedings, personal data may be retained accordingly.
14. Your Rights Under UK GDPR
Under UK GDPR you have the right to:
• Access your personal data
• Rectify inaccurate data
• Erase personal data
• Restrict processing
• Where we rely on legitimate interests, you have the right to object to processing in certain circumstances
• Data portability
• Withdraw consent at any time
• Lodge a complaint
• Not be subject to decisions based solely on automated processing that have legal or similarly significant effects
You have the right to object at any time to processing carried out on the basis of legitimate interests, including direct marketing activities. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms or the processing is required for legal claims.
These rights are not absolute and may be subject to exemptions or limitations under applicable law.
Requests may be submitted via:
Email: dpo@cyberdyn.co.uk.
We may request proof of identity before processing a request.
15. Data Subject Requests
Requests to exercise your rights can be submitted to dpo@cyberdyn.co.uk.
We will normally respond within one month of receiving a valid request, although this period may be extended where permitted by UK GDPR.
Requests are normally processed free of charge. We may charge a reasonable fee or refuse a request where permitted under UK GDPR, including where a request is manifestly unfounded or excessive.
16. Complaints
If you are dissatisfied with how we process personal data, please contact us first so we can attempt to resolve the issue.
You have the right to lodge a complaint with the ICO at any time:
Information Commissioner’s Office (ICO)
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: Information Commissioner's Office
17. Cookies and Website Analytics
Our website uses cookies and similar technologies to:
• Operate the website
• Remember preferences
• Analyse website traffic
• Improve user experience
• Measure marketing effectiveness
Further information is available in our Cookie Policy.
Where required by law, we will obtain consent before placing non-essential cookies.
18. Third-Party Websites
Our website may contain links to third-party websites.
We are not responsible for the privacy practices, security or content of external websites. We encourage users to review the privacy notices of those websites before providing personal information.
19. Changes to This Privacy Notice
We may update this Privacy Notice from time to time.
The current version will always be available on our website.
Material changes may also be communicated directly where appropriate.
20. Document Control
Document Owner: Data Protection Officer
Approved By: Steve Martin
Version: 3.0
Effective Date: 25 June 2026
Last Updated: 25 June 2026
Review Frequency: Annually
21. Change History Record
| Issue | Description of Change | Approval | Date of Issue |
|---|---|---|---|
| 1 | Initial Issue | S. Martin | 04/03/2021 |
| 2 | 2026 Update | S. Martin | 04/03/2026 |
| 3 | Cyber ForCE Security Scanner Added | S. Martin | 25/06/2026 |