Privacy Policy

Effective Date: January 23, 2025
Last Updated: January 23, 2025

1. Introduction

Invasive Security Ltd (“we,” “our,” or “us”) is committed to protecting your privacy and ensuring the confidentiality of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our services.

Company Registration: England and Wales, Company Number: 11903782
ICO Registration: Pending registration with the Information Commissioner’s Office

2. Information We Collect

2.1 Information You Provide

• Contact information (name, email address, phone number)
• Communication preferences
• Service inquiry details submitted through our contact form
• Any information you voluntarily provide during consultations

2.2 Automatically Collected Information

• Essential cookies for website functionality only
• IP addresses (anonymised and not stored beyond session duration)
• Browser type and device information for compatibility purposes only
• Server logs for security monitoring (retained for 30 days maximum)
• CloudFront access logs for performance optimization and security analysis
• No analytics, tracking, or advertising cookies are used

2.3 Information from Third Parties

• Publicly available information relevant to security assessments (OSINT)
• Information from professional references (with explicit consent)
• Threat intelligence data from reputable security sources (anonymized)

3. How We Use Your Information

We use your information to:

• Provide and improve our security and privacy services
• Respond to your inquiries and communicate with you
• Conduct security assessments and risk analyses
• Comply with legal obligations
• Protect our legitimate business interests

4. Legal Basis for Processing

Under GDPR, we process your personal data based on:

• Legitimate Interest: Responding to your service inquiries and providing cybersecurity consultation
• Consent: Where you have explicitly agreed to additional processing
• Legal Obligation: Where required by law enforcement or regulatory authorities

5. Information Sharing and Disclosure

5.1 We Do Not Sell Personal Information

We do not sell, rent, or trade your personal information to third parties.

5.2 Limited Disclosure

We may share information only in these circumstances:

• With your explicit consent
• To comply with legal obligations or court orders
• To protect our rights, property, or safety
• With trusted service providers under strict confidentiality agreements

6. Data Security

We implement industry-leading security measures including:

• Encryption: End-to-end encryption for all communications using TLS 1.3
• Infrastructure Security: AWS-hosted infrastructure with SOC 2 compliance
• Access Controls: Multi-factor authentication and principle of least privilege
• Data Storage: Encrypted at rest using AES-256 encryption
• Network Security: AWS WAF protection against common web attacks
• Monitoring: 24/7 security monitoring and incident response procedures
• Staff Security: Background checks and regular security training for all personnel
• Content Security Policy: Strict CSP headers to prevent XSS attacks
• Regular Audits: Third-party security assessments and penetration testing

7. Data Retention

We retain personal information for specific, justified periods:

• Contact form submissions: 2 years from last contact or until deletion requested
• Client consultation records: 7 years for professional liability and regulatory requirements
• Website access logs: 30 days maximum for security monitoring
• CloudFront logs: 90 days for performance and security analysis
• Email communications: Until you request deletion or withdraw consent
• Security incident logs: 5 years for compliance and learning purposes

8. Your Rights Under GDPR

You have the following rights regarding your personal data:

• Right of Access: Request a copy of personal data we hold about you
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Erasure: Request deletion of your personal data (“right to be forgotten”)
• Right to Restrict Processing: Limit how we use your data
• Right to Data Portability: Receive your data in a portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise these rights, contact us at: privacy@invasive-sec.co.uk

Response Time: We will respond to your request within 30 days (or 3 months for complex requests)

9. International Data Transfers

Your data is processed within the UK. If international transfer becomes necessary, we will:

• Ensure the destination country has adequate data protection laws
• Implement appropriate safeguards such as Standard Contractual Clauses
• Obtain your explicit consent where required

10. Cookies and Tracking

10.1 Essential Cookies Only

We use minimal essential cookies for:

• Session management: Secure session handling (HttpOnly, Secure flags)
• Security: CSRF protection tokens
• Functionality: Contact form state management
• Preferences: Cookie consent choices

10.2 No Tracking

We explicitly do NOT use:

• Google Analytics or similar tracking services
• Social media tracking pixels
• Advertising cookies or remarketing tags
• Third-party analytics or behavioral tracking
• Cross-site tracking mechanisms

10.3 Cookie Controls

• All cookies expire when you close your browser (session cookies)
• You can disable cookies in your browser settings
• Disabling essential cookies may limit website functionality
• We respect Do Not Track (DNT) browser signals

11. Children’s Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children.

12. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be posted on this page with an updated effective date. For material changes, we will provide additional notice.

13. Contact Information

For privacy-related questions, data protection requests, or to exercise your rights:

Data Protection Contact: privacy@invasive-sec.co.uk
General Contact: contact@invasive-sec.co.uk
Phone: +44 (0) 203 422 0636
Company Address: [Address to be updated before live operation]

For secure communications, use our GPG key (available on our contact page):
Key ID: A3B4F8B5
Fingerprint: 92BB ED6C CA33 3D2E F776 B316 ADE3 A0FE 54A3 8578

14. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with:

Information Commissioner’s Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

15. Technical Safeguards

Our website implements additional privacy-protective measures:

• Content Security Policy (CSP): Prevents unauthorized script execution
• HTTP Security Headers: HSTS, X-Frame-Options, X-Content-Type-Options
• Lambda@Edge Functions: Process requests securely at edge locations
• Origin Access Control: Direct S3 access is blocked; only CloudFront access allowed
• WAF Rules: Protection against OWASP Top 10 vulnerabilities
• Rate Limiting: Protection against abuse and brute force attacks

16. Data Processing Locations

• Primary Processing: United Kingdom
• Hosting Infrastructure: AWS eu-west-2 (London) region
• Edge Processing: AWS CloudFront global edge locations (minimal data processing only)
• Email Services: AWS SES in eu-west-2 region
• Backup Storage: AWS eu-west-2 region with cross-region replication to eu-west-1 (Ireland)

This Privacy Policy is designed to comply with GDPR, UK Data Protection Act 2018, and other applicable privacy laws.