Privacy Policy & Data Processing Agreement

Version 2.0 | January 2026

Consultoría de Inteligencia y Securización, S.L. (CISEC)

AISAC Platform (AI Security Automation Center)

Last Updated: January 27, 2026

Contents

Part A: Privacy Policy

Part B: Data Processing Agreement

PART A: PRIVACY POLICY

1. Identification of Data Controller

In accordance with Regulation (EU) 2016/679 (GDPR) and Spanish Organic Law 3/2018 (LOPDGDD), the following information is provided:

Data Controller:

  • Legal Name: Consultoría de Inteligencia y Securización, S.L. (CISEC)
  • Tax ID (CIF): B24850877
  • Registered Address: Calle Dublín 33C, Las Rozas de Madrid, Madrid, Spain
  • Commercial Registry: Madrid, Volume 21905, Sheet 48, Page M-390329
  • Email: info@cisec.es
  • Website: cisec.es
  • Business Activity: Cybersecurity services, AISAC platform (AI Security Automation Center), and Pentesting as a Service (PTaaS)

Data Protection Officer (if appointed): To be determined based on processing volume

2. Principles of Data Processing

CISEC processes personal data according to the following GDPR principles:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality
  • Accountability

3. Categories of Personal Data

3.1 Identification and Contact Data

Full name, Email address, Telephone number, Company/organization, Job title, Postal address

3.2 Account Data (AISAC Platform)

Username, Password (bcrypt/Argon2), IP address, Activity logs, Configuration preferences, Roles and permissions (Admin, Security Analyst, Viewer)

3.3 Technical and Navigation Data

IP address, Browser type/version, OS, Pages visited, Session duration, Cookies, Approximate geolocation

3.4 Security Services Data

Security logs and events, Vulnerability analysis data, Pentesting reports, Security alerts, SIEM correlation data

IMPORTANT: CISEC does NOT process special categories of personal data (GDPR Article 9).

4. Purposes and Legal Basis

PurposeLegal BasisRetention
Registration and AISAC accessContract performance (Art. 6.1.b)Duration + 6 years
Cybersecurity/pentesting servicesContract performance (Art. 6.1.b)Duration + 6 years
Billing and accountingLegal obligation (Art. 6.1.c)6 years
SIEM log processingContract + Legitimate interest (Art. 6.1.f)30–365 days
MarketingConsent (Art. 6.1.a)Until revocation
Service improvement / AILegitimate interest (Art. 6.1.f)Anonymized
Fraud preventionLegitimate interest (Art. 6.1.f)2 years
Legal complianceLegal obligation (Art. 6.1.c)As required

5. Data Recipients and Transfers

5.1 Third-Party Recipients (Data Processors)

  • Hosting: Infrastructure providers
  • Database: Supabase
  • SIEM/SOAR: OpenSearch, n8n
  • Payment: Stripe
  • Cloud: Docker, Redis

All Processors sign DPAs per GDPR Article 28.

5.2 International Transfers

  • Supabase (USA): Standard Contractual Clauses
  • Other providers: Within EU or adequacy decisions

6. Data Subject Rights

  • Right of Access (Art. 15)
  • Right to Rectification (Art. 16)
  • Right to Erasure (Art. 17)
  • Right to Object (Art. 21)
  • Right to Restriction (Art. 18)
  • Right to Data Portability (Art. 20) — JSON/CSV format
  • Right not to be subject to automated decision-making (Art. 22)
  • Right to Withdraw Consent

To exercise rights: info@cisec.es — Subject: “GDPR Rights Exercise - [Right Type]”

Response time: 1 month, extendable by 2 months.

Complaints: Spanish Data Protection Agency (AEPD) — aepd.es

7. Data Retention

Data TypeRetention Period
Active user accountContract duration
Inactive account (>12 months)24 months
Billing/tax data6 years
SIEM event logs30–365 days (plan-dependent)
Platform access logs12 months
Audit logs2 years
Backups30 days, then automatic deletion
Marketing consentsUntil revocation

7.1 Post-Termination

  • Day 0–30: Client may export data
  • Day 31: Secure deletion from production
  • Day 60: Deletion from backups
  • Deletion certificate available upon request

8. Security Measures

8.1 Technical

  • Encryption: TLS 1.3 (transit), AES-256 (at rest)
  • Access: MFA, RBAC
  • Authentication: Bcrypt/Argon2
  • Multi-tenant isolation
  • 24/7 SIEM monitoring, IDS/IPS
  • Daily encrypted backups, 30-day retention
  • Monthly vulnerability scans, annual pentesting
  • WAF, IP filtering, VPN for admin

8.2 Organizational

  • Documented security policies
  • Annual GDPR and security training
  • Physical access control
  • Documented incident response plan
  • BCP/DR with annual testing
  • Vendor security assessment

9. Cookies

TypePurposeConsentDuration
Strictly necessaryAuthentication/sessionNot requiredSession
FunctionalUser preferencesNot required12 months
Analytics (GA4)Usage statistics (anonymized)Required24 months
MarketingNot currently usedRequired

10. Artificial Intelligence

AISAC uses AI for:

  • Automated security event correlation
  • Anomaly detection and threat analysis
  • Alert prioritization (ML)
  • Automated incident response (SOAR)
IMPORTANT: All critical decisions supervised by human analysts. GDPR Article 22 compliant.

10.1 AI Training: Anonymized/pseudonymized data only. Clients may opt out.

11. Policy Modifications

  • Substantial changes: 30 days' advance notice via email or platform.
  • Minor changes: Published with updated date.

PART B: DATA PROCESSING AGREEMENT (DPA)

12. DPA Scope

Governs processing by CISEC as Data Processor on behalf of Client as Data Controller when using AISAC.

Definitions:

  • Controller: The Client
  • Processor: CISEC
  • Sub-processor: Third-party providers engaged by CISEC
  • Data Breach: Per GDPR Article 4(12)

13. Data Processing Terms

13.1 CISEC processes data only on documented instructions from the Controller.

13.2 CISEC shall NOT:

  • Process data for unauthorized purposes
  • Sell or rent personal data
  • Use data for CISEC's own marketing
  • Disclose data except as instructed or required by law

13.3 Nature of Processing:

  • Subject: AISAC cybersecurity platform services
  • Nature: Collection, storage, analysis, correlation, automated response
  • Purpose: Security monitoring, threat detection, incident response, compliance
  • Data types: Security logs (IPs, usernames, system identifiers)
  • Data subjects: Client's employees, contractors, system users

14. Processor Obligations

  • 14.1 Confidentiality: Authorized personnel bound by confidentiality, trained on data protection.
  • 14.2 CISEC shall follow documented instructions and inform Controller if instructions violate GDPR.
  • 14.3 Assistance: CISEC assists with DSAR responses, DPIAs, and GDPR Articles 32–36 compliance.

15. Sub-processors

Current sub-processors:

ProviderPurposeTransfer Mechanism
Supabase, Inc. (USA)Database/authStandard Contractual Clauses
Hostinger International Ltd. (Lithuania/EU)HostingGDPR compliant
Stripe, Inc. (USA)Payment processingStandard Contractual Clauses

30 days' notice before adding/replacing sub-processors. Controller may object within 15 days on data protection grounds.

16. Data Subject Rights Assistance

When CISEC receives a DSAR directly:

  1. Forward to Controller within 48 hours
  2. Do not respond without Controller's instructions
  3. Controller responds within GDPR deadlines

Technical capabilities:

  • Access: Data export in AISAC
  • Rectification: Admin can modify User data
  • Erasure: Admin can delete Users and data
  • Portability: Export in JSON/CSV

17. Security (Technical Details)

  • Encryption: TLS 1.3 (PFS), AES-256, HSM key management
  • Access: MFA mandatory for admin, bcrypt (cost ≥12), RBAC, least privilege
  • Network: WAF, DDoS, IDS/IPS, VPN for admin, environment segmentation
  • Application: Input validation, secure sessions, API rate limiting, dependency scanning
  • Data: Pseudonymization, anonymization, encrypted backups (geographically separated, quarterly tested)

Certifications:

  • ENS MEDIA (Spanish National Security Scheme — Medium Level)
  • ISO 27001 (planned)
  • Annual third-party penetration testing
  • Monthly automated vulnerability assessments

18. Data Breaches

18.1 CISEC notifies Controller within 72 hours including:

  • Nature of breach, categories/number of affected subjects/records
  • Contact details of CISEC's data protection point of contact
  • Likely consequences
  • Measures taken/proposed

18.2 CISEC investigates, preserves forensic evidence, contains and remediates.

18.3 Controller responsible for AEPD notification (GDPR Art. 33) and data subject notification if high risk (GDPR Art. 34).

19. International Transfers

Primary processing within EU. For EEA transfers:

  • Standard Contractual Clauses (SCCs, 2021 version)
  • Adequacy decisions where available
  • Transfer Impact Assessments (TIA) conducted and updated

20. Audit Rights

  • Controller may audit once per year (30 days' written notice required).
  • For-cause audits: Upon reasonable suspicion or after a breach.
  • Alternatives: ISO 27001/SOC 2 certifications, third-party audit reports, completed questionnaires.

21. Data Return and Deletion

During contract: Export available anytime in JSON/CSV.

Upon termination:

  • Day 0–30: Self-service export (read-only state, no charges)
  • Day 31: Deletion from production systems
  • Day 60: Deletion from backups
  • Deletion certificate within 15 business days upon request

Legal hold exception: CISEC may retain data if required by law, with Controller notification.

Final Provisions

Contact: info@cisec.es — Subject: “Data Protection Inquiry”

Address: Calle Dublín 33C, Las Rozas de Madrid, Madrid, Spain

Governing Law: GDPR, LOPDGDD (Spanish Organic Law 3/2018), LSSI-CE (Spanish Law 34/2002)

Last Updated: January 27, 2026 | Next Review: January 2027

Related Documents: Terms and Conditions, SLA, Service Order