This Privacy Policy explains our privacy practices and how we handle the information we process for both our customers and data subjects.
Cysiv strives to follow these concepts when it processes personal information:
If you have a request, feedback or suggestions on our Privacy Policy, please email Cysiv’s Compliancy and Data Protection Officer at compliance@cysiv.com
Cysiv practices Privacy by Design and Privacy by Default in the design, development and operations of our services. We strive to collect the minimum amount of personal information necessary and to retain it no longer than necessary to meet our contractual obligations or as required by law.
Cysiv is a Data Processor that provides Security Operations Center (SOC)-as-a-Service for customer organizations (i.e. Data Controllers, Covered Entities) looking to improve their overall security posture. In order to perform this service, we collect data from customer’s security and system logs that we process and analyze for indicators of compromise and malicious behavior. Customers decide what logs to provide to Cysiv and can discontinue any or all feeds at any time.
The following personal data may be collected depending on what services are being provided under contract by Cysiv, what logs are being sent to Cysiv by the customer and which fields the customer has enabled:
Unless required contractually, these logs are kept a maximum of 12 months and are then securely deleted.
Cysiv does not seek to collect any sensitive data through the service (e.g. health or credit card or other sensitive information). It is possible that as a result of malicious activity by a user or system that limited amounts of sensitive data may be contained in security logs sent to Cysiv. If such sensitive data is discovered Cysiv will securely delete it. If this continues to be an issue, Cysiv will notify the customer and together will take appropriate steps to prevent such information from being sent to Cysiv.
Cysiv understands that given the nature of our business, our customers, the type and volumes of data we're processing that limited amounts of personal sensitive data may be ingested and stored in our system therefore we apply the appropriate security controls and procedures with that assumption in mind e.g. firewalls, role-based access controls, antimalware products, encryption etc.
Cysiv processes personal data based on several different legal basis, including but not limited to:
If you are a citizen of the EU and have any questions, comments or wish to make a request under GDPR please email Cysiv’s Compliancy and Data Protection Officer at compliance@cysiv.com.
As Cysiv has no relationship with the data subjects themselves and would have difficulty authenticating any direct requests; employees or customers of Cysiv's corporate customers who wish to review, correct, or delete their personal information must make their request to their employer or service provider who has contracted Cysiv who will then review the request and instruct Cysiv accordingly. Cysiv will respond to such request in a timely manner and to the best of our abilities. All such requests will be logged, tracked and auditable.
This Privacy Policy explains our privacy practices and how we handle the information we process for our customers with respect to Health Information Portability and Accountability Act (HIPAA) and Protected Healthcare Information (PHI)
Protected health information (PHI) under the US law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity) and can be linked to a specific individual.
While Cysiv collects personal identifiers such as names, email addresses, IP and device addresses from system and security logs for analysis of malicious or suspicious cyber activity, we do not collect any information about health status, provision of health care, or payment for health care services.
Under certain circumstances the data collected could be considered PHI. As an example, a small hospital or clinic could be identified by the naming of their security device. This device name when combined in the logs with a patient username, URL or IP address could be considered PHI. The more specific the services of the hospital or clinic the more sensitive would be the nature of the PHI. On the other hand, a security device name from a large payor when combined in the logs with a patient name, URL or IP address could be considered far less sensitive as there would be no additional information about the health status, provision of health care, or payment for heath care nor could such information be realistically inferred from the name of the payor.
Cysiv’s customers (Covered Entities) have full control over which individual system or log fields they are willing to provide based on the service/s being provided. Individual field attributes can be removed altogether, or regex expressions can be applied to filter out known data string formats such as unique patient identifiers.
Cysiv is a Business Associate and will as required enter into a Business Associate Agreement with our Covered Entity customers and Business Associate third party suppliers.
By law, the HIPAA Privacy Rule applies only to covered entities. Cysiv is not a covered entity and only processes data from a covered entity based on terms and conditions outlined in a business associate agreement. Cysiv will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule
Cysiv customers and Cysiv employees’ or contractors’ access Cysiv's web-based next-gen SIEM, Cysiv Command, to review logs, detections, cases, dashboards and to perform other administrative functions. Access is controlled by role-based user accounts so that users can only access data that they're authorized to see.
The following personal data may be collected as part of Cysiv Command user account creation and management:
User accounts are deleted when no longer required. User account information captured in Cysiv Command logs e.g. logins, searches etc., are kept for 12 months and rolled over.
A user can see, modify and delete their user account and log information if they have appropriate privilege otherwise, they can make such request to their Company admin or directly to Cysiv. All such requests will be logged, tracked and auditable.
Cysiv uses sub-processors to assist with the delivery of the Service. These sub-processors have access to personal information only to assist Cysiv to process that data as authorized. All sub-processors are subject to a check in which Cysiv reviews privacy, security, and confidentiality practices. Cysiv currently uses the following sub-processors to assist it in providing its services:
Cysiv SOC-as-a-Service
Cysiv is committed to ensuring the security of personal information through reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
We utilize industry security best practices to protect the confidentiality and security of personal information within the Service, by employing technological, physical and administrative security safeguards, such as firewalls, encryption, and other security procedures. These technologies, procedures, and other measures are used to ensure that customer data is safe, secure, and only available to those authorized to access the data. Specifically, we use tools and procedures to restrict access to and disclosure of personal data, obtain assurances from third party information security service providers, secure our networks and physical facilities and ensure management oversight of operations.
Cysiv receives and processes personal data from clients and may transfer, process and store personal information outside of the European Union to wherever we or our third-party service providers operate. Cysiv takes the appropriate methods to protect personal data whenever data is transferred from the EU to another location. Specifically, Cysiv employs the EU Controller to Processor Model Contract Clauses (MCC) in our Data Processing Addendum as Cysiv’s transfer mechanism for personal data. The terms of the SCCs apply where the transfer of Customer Personal Data from the EU to Cysiv.
Cysiv’s official website, www.cysiv.com, online services, interactive applications and email messages may use cookies, pixels, web beacons, and embedded programming code on our website to evaluate our marketing efforts and gain information about the way users are viewing our site. These are files that are placed on your computer when you visit our website enable our systems, and those of our service providers and processors, to recognize you and collect certain data, which may include your IP address, geolocation data, device details, the web pages you view, and related information about your browsing session. In some instances, we share this information with third-party marketing and data analytics companies who process this information on our behalf and provide us with details about your use of the website and the effectiveness of our marketing campaigns.
This Privacy Policy explains our privacy practices and how we handle the information we process for both our employees and contractors.
Cysiv strives to follow these concepts when it processes personal information:
If you have a request, feedback or suggestions on our Privacy Policy, please email Cysiv’s Compliance and Data Protection Officer at compliance@cysiv.com. If you are a citizen of the EU and have any questions, comments or wish to make a request under GDPR please email Cysiv’s Compliance and Data Protection Officer at compliance@cysiv.com.
Cysiv employees and contractors should also refer to “Cysiv’s Privacy Policy – Customers” for information about their account information privacy in Cysiv Command Portal.
Cysiv like any other company must collect personal and sometimes sensitive information from employees in order to support business functions such as: corporate email, human resource and pay systems, internal collaboration applications etc. Cysiv processes personal data based on several different legal basis, including but not limited to:
Our intention is to not keep any personal data longer than necessary and to only keep the minimum required to do our jobs or by law.
The following personal data may be collected from Cysiv employees or contractors as part of Cysiv's condition of employment:
User account information will be deactivated when no longer required and retained based on system backup and retention policies. Human resource information will be retained in accordance with applicable laws governing the storage and retention of such data.
Employees or contractors wishing to review, modify or delete their personal account information or HR information can make a request directly to Cysiv HR who will review the request and direct IT to take the appropriate action based on legal requirements.
Cysiv may disclose personal information in response to subpoenas, court orders, legal process, lawful requests by public authorities (including to meet national security or law enforcement requirements), or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Terms of Service, or as otherwise required by law.
Who Does Cysiv Share Personal Information With?
Cysiv uses sub-processors to assist with the delivery of our corporate services. All sub-processors are subject to a check in which Cysiv reviews privacy, security, and confidentiality practices.
Trend Micro provides business support services to Cysiv including IT, Finance, HR, and Facilities and therefore will have access to Cysiv employee and contractor information. Trend Micro follows the same or equivalent privacy and security guidelines as Cysiv.
Cysiv Internal Systems (not all apply to all employees / contractors)
Cysiv is committed to ensuring the security of personal information through reasonable and appropriate measures to protect it from loss, misuse, and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
We utilize industry security best practices to protect the confidentiality and security of personal information within the Service, by employing technological, physical and administrative security safeguards, such as firewalls, encryption, and other security procedures. These technologies, procedures, and other measures are used in an effort to ensure that customer data is safe, secure, and only available to those authorized to access the data. Specifically, we use tools and procedures to restrict access to and disclosure of personal data, obtain assurances from third party information security service providers, secure our networks and physical facilities and ensure management oversight of operations.
1.833.229.9800
info@cysiv.com
225 E. John Carpenter Freeway
Suite 1500
Irving, Texas 75062 U.S.A.
Copyright © 2020 Cysiv Inc. All rights reserved. Cysiv and the Cysiv Logo are trademarks of Cysiv Inc. Other marks and names are trademarks or registered trademarks of their respective owners.