Privacy Policy
Our commitment to protecting your personal data under GDPR and Irish law.
This Privacy Policy explains how Knogin CyberSecurity Limited ("Knogin," "we," "us," or "our") collects, uses, stores, and protects your personal data. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Irish Data Protection Act 2018, and all applicable data protection legislation. We act as a data processor when processing personal data on behalf of our clients pursuant to service agreements. This Privacy Policy addresses our role as data controller for personal data we collect directly from you and through our systems.
"Personal data" means any information relating to an identified or identifiable natural person. We may process the following categories of personal data:
Names, titles, aliases, telephone numbers, postal addresses, email addresses, and professional affiliations.
Where relevant to employment applications or client engagements: gender, age, nationality, education history, employment history, professional qualifications, and similar information you provide.
Where you pay for services: bank account numbers, payment card details, transaction identifiers, invoice records, and billing information.
IP addresses, device identifiers, browser type and version, operating system, access timestamps, pages visited, referral sources, session duration, clickstream data, error logs, and system event logs.
User activity patterns, authentication events, access control logs, security incident data, threat indicators, anomaly detection data, and risk assessment scores generated through our security systems.
In certain circumstances, we may process sensitive personal data including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health data, or data concerning sex life or sexual orientation. We only process such data where we have a lawful basis to do so.
We collect personal data through the following means: Directly from you: When you contact us, create an account, subscribe to services, submit enquiries, apply for employment, or otherwise communicate with us. Automatically through our systems: When you access our websites or use our services, we automatically collect technical and log data through cookies, server logs, and similar technologies. From our clients: When we provide cybersecurity services, our clients may provide personal data to us for processing in accordance with our service agreements. From third-party sources: We may receive personal data from publicly available sources, industry databases, and partners where lawful to do so.
We process personal data only where we have a lawful basis under Article 6 of the GDPR:
Processing necessary for the performance of a contract with you or to take pre-contractual steps at your request.
Processing necessary for compliance with a legal obligation to which we are subject under Irish or EU law.
Processing necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms. Our legitimate interests include operating and securing our business, preventing fraud and cybercrime, improving our services, and protecting our clients from security threats.
Where we rely on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Processing necessary to protect the vital interests of you or another natural person.
Where we process special categories of personal data, we rely on one of the following conditions under Article 9(2) GDPR: your explicit consent; processing necessary for employment, social security, or social protection purposes; processing necessary to protect vital interests where you are incapable of giving consent; processing necessary for the establishment, exercise, or defence of legal claims; or processing necessary for reasons of substantial public interest.
We use automated security systems, including machine learning algorithms and artificial intelligence, to analyse user behaviour patterns and system events for the purpose of detecting and preventing security threats. This processing constitutes "profiling" as defined in Article 4(4) GDPR. Data used for profiling: Our automated security systems process login timestamps, access patterns, device information, IP addresses, geographic location data, session behaviour, activity logs, and historical usage patterns. How profiling works: Our systems establish behavioural baselines for users and systems, then identify anomalies or deviations that may indicate compromised accounts, credential theft, malicious activity, or security threats. Machine learning models assign risk scores based on factors including access timing, location consistency, device recognition, action patterns, and deviation from established norms. Consequences of profiling: Profiling may result in security alerts, access restrictions, account suspension, enhanced authentication requirements, or referral for manual review. In certain circumstances, automated decisions may restrict or block access to systems or services. Legal basis: We process this data on the basis of our legitimate interests in maintaining the security and integrity of our systems and protecting our clients from cyber threats. Where automated decisions produce legal effects or similarly significantly affect you, we rely on Article 22(2)(b) GDPR (processing authorised by law for security purposes) or Article 22(2)(a) GDPR (processing necessary for contract performance).
Under Article 22 GDPR, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. Where we make such automated decisions, you have the right to: • Obtain human intervention from a qualified member of our security team • Express your point of view regarding the automated decision • Contest the decision and request a review • Obtain an explanation of the general logic involved in the automated processing • Request information about the significance and envisaged consequences of such processing To exercise these rights, contact us at privacy@knogin.com. We will respond within one month of receiving your request.
We engage third-party service providers to process personal data on our behalf. These processors are contractually bound to process personal data only on our documented instructions and to implement appropriate technical and organisational security measures. We may engage additional processors for specific services. An up-to-date list of our sub-processors is available upon request by contacting privacy@knogin.com.
Personal data may be transferred to, and processed in, countries outside the European Economic Area ("EEA") that may not provide the same level of data protection as Ireland. Where we transfer personal data outside the EEA, we ensure appropriate safeguards are in place: Adequacy decisions: Transfers to countries with an adequacy decision from the European Commission (including transfers to the United States under the EU-U.S. Data Privacy Framework for certified organisations). Standard Contractual Clauses: Transfers subject to EU Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914). Binding Corporate Rules: Where applicable, transfers within corporate groups subject to approved binding corporate rules. Personal data may be transferred to the United States through Microsoft and Cloudflare services, subject to EU-U.S. Data Privacy Framework certification and/or Standard Contractual Clauses. We conduct transfer impact assessments where required to evaluate the level of protection in recipient countries and implement supplementary measures where necessary.
We may disclose personal data to law enforcement authorities, regulatory bodies, or other public authorities where: • We are required to do so by Irish or EU law, court order, or warrant • Disclosure is necessary and proportionate for the prevention, detection, investigation, or prosecution of criminal offences, as permitted by Section 41(b) of the Irish Data Protection Act 2018 • Disclosure is necessary to protect the vital interests of any person • Disclosure is necessary for the establishment, exercise, or defence of legal claims We will notify you of any disclosure unless prohibited by law or where notification would prejudice an ongoing investigation.
In accordance with Article 48 GDPR and EDPB Guidelines 02/2024, we handle requests from law enforcement authorities outside the EEA as follows: Mutual Legal Assistance Treaties: Where a request from a third-country authority is based on an international agreement such as a Mutual Legal Assistance Treaty ("MLAT") in force between the requesting country and Ireland or the European Union, we will comply with the request in accordance with that agreement. Requests without international agreement: Where a request from a third-country authority is not based on an applicable international agreement, the request is not automatically recognised or enforceable under EU law. We will assess whether we have a lawful basis under Article 6 GDPR and an appropriate transfer mechanism under Chapter V GDPR, and may refer the requesting authority to MLAT channels. Extraterritorial requests: Notwithstanding potential claims of extraterritorial jurisdiction under third-country law (including the U.S. CLOUD Act), we are subject to EU data protection law. We will not disclose personal data to third-country authorities unless the request is made pursuant to an applicable international agreement or we have identified both a lawful basis under Article 6 GDPR and an appropriate transfer mechanism under Chapter V GDPR. Notification: Where we receive a request from a third-country authority and are not prohibited from doing so, we will inform affected data subjects of the request.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce our agreements. We conduct regular reviews of retained data and securely delete or anonymise personal data that is no longer required.
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include: • Encryption of personal data in transit and at rest • Access controls and authentication mechanisms • Regular security assessments and penetration testing • Staff training on data protection and information security • Incident response procedures • Physical security measures for our premises and data centres Where we engage processors, we ensure they provide sufficient guarantees to implement appropriate technical and organisational measures.
Under the GDPR and Irish data protection law, you have the following rights:
You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data and information about the processing.
You have the right to have inaccurate personal data rectified and incomplete data completed.
You have the right to have personal data erased in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected.
You have the right to restrict processing in certain circumstances, including while we verify the accuracy of data you have contested.
You have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format and to transmit that data to another controller.
You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
You have the right to human intervention, to express your point of view, and to contest automated decisions.
Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
If you are dissatisfied with how we handle your personal data or respond to your requests, you have the right to lodge a complaint with a supervisory authority. Irish Data Protection Commission 21 Fitzwilliam Square South Dublin 2, D02 RD28 Ireland Website: www.dataprotection.ie Telephone: +353 1 765 0100 / +353 57 868 4800 You may also lodge a complaint with the supervisory authority in your country of residence or place of work if this is different from Ireland.
Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe we have collected personal data from a child under 16, please contact us immediately at privacy@knogin.com.
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new effective date. We encourage you to review this Privacy Policy periodically. For significant changes affecting your rights, we will provide prominent notice through our website or by direct communication where appropriate.
If you have any questions about this Privacy Policy or our data protection practices, please contact us: Data Protection Contact Knogin CyberSecurity Limited Dublin 6, Ireland Telephone: 1800-816933 (Ireland) / +353-1-800-816933 (International) Email: privacy@knogin.com We will respond to your request within one month. This period may be extended by two further months where necessary, taking into account the complexity and number of requests. We will inform you of any extension within one month of receiving your request. We may request additional information to verify your identity before responding to your request.
Questions About Privacy?
Our Data Protection team is here to help with any privacy-related questions or concerns.
Data Protection Contact
Knogin CyberSecurity Limited
Dublin 6, Ireland
Ireland: 1800-816933
International: +353-1-800-816933
Supervisory Authority
Irish Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland