Responsibilities and definitions
Controller – the company using the Cyberon Centry to protect their infrastructure is
responsible for the processing of data, including personal data. This will normally be
the customer/the employer.
Processor – Cyberon Security processes the data on behalf of the controller and is
responsible for implementing appropriate technical and organisational measures in
such a manner that the processing will meet the requirements of the General Data
Protection Regulation and ensure the protection of the rights of the data subject.
The data subject – the directly or indirectly identifiable person whose data are being
collected, stored or other wised processed. This will normally be the employee or
other persons using the customers infrastructure.
Processing – any operation or set of operations which is performed on personal data
or on sets of personal data.
Personal data – any information relating to an identified or identifiable natural person
(the data subject).
Purpose of processing
Cyberon Centry is used to secure the processing of information in the controller’s
infrastructure including the endpoints/personal computers when applicable.
Cyberon Centry monitors network traffic and events including processes, data
access, system usage and application logs. It also retrieves logs from equipment or
services such as firewalls, servers, antivirus solutions, e-mail protection and cloud
services (Office 365) and endpoints depending on the implementation of the service.
The service detects and reports events related to the potential threats as known
vulnerabilities, malicious code, infected web pages, malicious applications,
vulnerable services, attempted attacks as well as other events related to the
confidentiality, integrity and availability related to the controller’s business, their
infrastructure and applications and their employees.
Lawfulness of processing
The controller have a legitimate interest of processing according to GDPR Article 6.1
(f). Other legitimate ground for processing might apply depending on the individual
controller. Cyberon Security’s processing is based on the Data Protection Agreement
directly with the controller or indirectly via their suppliers or vendors.
The purpose of processing is not to process special categories of personal data.
Should the processing include special categories of personal data the processing is
necessary for the purposes of carrying out the obligations and exercising specific
rights of the controller according to The General Data Protection Regulation Article
The types of personal data processed by Cyberon Centry:
- Anomalies in infrastructure, data in rest or data in traffic
- Internal or external activities related to potential threats
- Detection, prevention and investigation of security breaches
- Applications, inventory and other security data connected to endpoints.
Information relating to anomalies, potential threats and security breaches may be
related to username, computer name, IP, e-mail address (sender, recipient), e-mail
subject, or other digital identifier.
Processing, reporting and sharing of data
The data collected by Cyberon Centry is stored, structured and made available to the
controller by Cyberon Security.
All reporting is conducted in such a way that the identity of the data subject is not
revealed, with exception of any legal order or:
a) When necessary to maintain the day-to-day operations or other legitimate
interests of the controller.
b) Due to the legitimate suspicion that the data subject’s use of the
infrastructure entails a gross violation of the subject’s duties and obligations
or may provide a basis for termination of contract or dismissal.
In such cases the controller is responsible to inform the data subject.
Beyond this, personal data or data related to the controller, are not shared with other
parties or individuals.
Anonymised data, data that cannot be related to an individual, can be used by
Cyberon Security for research and development internally or in cooperation with 3.
Data is transmitted and stored encrypted (TLS and Dm-crypt) and is subject to
monitoring for three months. Then the data will be taken offline and stored securely
on Cyberon’s servers. The servers handle data behind three security zones. The
access control enables only authorised persons to access the data. All treatment is
subject to confidentiality.
Data are stored on Cyberon’s servers in Norway. Personal data not related to special
events, are anonymised after 12 months. Upon termination of agreement all data
that may be linked to the data subject will be anonymised or deleted in accordance
with the agreement with the controller.
Rights of the data subject
The data subject has the right to:
- request access to their personal data
- rectification or erasure of personal data or restriction of processing
- object to processing as well as the right to data portability
- lodge a complaint with a supervisory authority – The Norwegian Data Protection Authority
For more information see Article 15 – 21 in the General Date Protection Regulation
for information about access, rectification, erasure, restriction and data portability.
Please contact your employer or us for any requests regarding your rights.
Cyberon Security AS
0277 OSLO, Norway