Privacy Policy

Last update: January 2023

Introduction

Hacksclusive is committed to the security and privacy of its users. As a customer or researcher, we want to make sure you understand what information we collect from you and why. Hacksclusive treats your personal data and/or those of your business with the greatest possible care and confidentiality. We believe it is important to inform you of the manner in which your personal data is processed and secured by us.

In this privacy statement, you can find more information on what personal data Hacksclusive processes of you and/or your company, what Hacksclusive uses this personal data for, on what legal grounds and for what purposes Hacksclusive processes this personal data, when Hacksclusive shares the personal data with third parties and when we deploy processors for the processing of the personal data, and what rights you have with regard to this personal data.

Definitions

In this privacy statement, the following definitions apply:

  • processor: a natural or legal person, a government institution, service or other body who/which processes personal data for Hacksclusive;

  • third party: any other besides you, Hacksclusive, a processor, or any person who is authorised to process personal data under the direct authority of the data controller or the processor;

  • you: the person whose personal data is processed by Hacksclusive;

  • personal data: any data which regards you and can also be traced back to you, especially by way of an identifier such as a name, an identification number, location data, online identifier, or of one or more elements which are characteristic of your physical, physiological, genetic, psychological, economic, cultural, or social identity;

  • consent: any free, specific, informed and unequivocal expression of will by which, through a statement or an unequivocal active operation, you accept the processing of your personal data;

  • provision of personal data: the disclosure or making available of personal data; and

  • processing of personal data: an act of processing or a whole of acts of processing regarding personal data or a whole of personal data, whether or not carried out through automatic procedures, such as the collecting, recording, ordering, structuring, storing, updating or modifying, requesting, perusing, using, providing by way of forwarding, distributing or making available in another manner, aligning or combining, shielding or destroying of data;

  • (Hacksclusive) Service(s): the services offered by Hacksclusive through the Platform, which focus on the control of the security of your online information systems;

  • Hacksclusive-Team: the employees, contractors and/or third parties (partners) deployed by Hacksclusive for the benefit of the Hacksclusive Services.
Applicability

This privacy statement applies to:

    • visitors of the Website (hacksclusive.com);

    • users of the Platform (app.hacksclusive.com);​

    • potential customers and other persons with whom Hacksclusive is in contact, or tries to be, by email or by telephone;

    • newsletter subscribers;

    • recipients of newsletters and invitations for events (in the following: Marketing) of Hacksclusive;

    • customers of Hacksclusive; and

    • all other persons who contact Hacksclusive and of whom Hacksclusive processes personal data.

When does Hacksclusive process personal data?

Hacksclusive receives personal data from you in the following situations:

  • When you visit the Website;

  • When you make use of the Platform and the Services;

  • When you contact Hacksclusive, for example, by email, by way of the registration form on the website, telephonically, or through social media, such as LinkedIn, Twitter or Facebook;

  • When you register for the Marketing of Hacksclusive; and/or

  • When you provide data to us on account of a customer relation with Hacksclusive.

What personal data does Hacksclusive process?
  • Visit of Website
    In case of a visit to the Website, our servers automatically store information, such as the URL, IP address, browser type and language, date and time of the visit and your email address. For the rest, we would like to refer you to our cookie statement https://app.hacksclusive.com/cookies for more information we collect on you during the use of the Website.

  • When you make use of the Platform
    If you use the Platform, you have entered into an agreement with Hacksclusive so you can use the Hacksclusive Services.
    In the case of the Platform being used, we collect information that your browser sends when you visit our Platform (‘Log-data’). This log-data may contain information such as the IP address of your computer, browser type, browser version, the pages you visit within the Platform, the time and the date of your visit, and the time spent on those pages.

    Customers can have the security of your online information systems assessed. Our Team carries out this assessment. They prepare a report based on their findings. If from the survey personal data comes forward, for example, in case a data leak in your information security is identified, leading to the data of your customers being available, then that personal data can be perused by all parties involved in the survey, that is: the Researchers, the Triage-Team, and by us. It is not our purpose to store this data, but the perusal of that data already qualifies as the processing of personal data. Therefore, there is a possibility when using the Application that we process the personal data of yours and/or third parties which are involved, such as customers.

  • Contact with Hacksclusive
    When you contact Hacksclusive, for instance, with a request for information or advice on our Services, Hacksclusive processes the personal data which you thereby transmit to us, such as the contact information provided by e-mail, through the registration form on the Website or by telephone, but also the information provided during an introductory conversation, or during an event which is organised by Hacksclusive. We keep this information in our customer database, Hubspot. The email address, name and/or phone number provided by you through the registration form on the Website or otherwise will be used for providing information or advice as requested.

  • Marketing (and unsubscribing)
    Hacksclusive makes use of newsletters, and subscribers are sent newsletters with things which may be relevant for our (potential) customers and researchers, such as events, blog posts or customer cases. All other relevant information for our customers, such as release notes and notifications, can be found on the Platform.

    We make use of registration forms on the Website. We ask for your name, organisation, email address and phone number so we can reach out to you. We keep your contact information in our customer database, Hubspot. We keep this information for two years after it has been stored there. The information will only be used for the purpose it was given to us.

  • Data provided and collected from other sources on account of the customer relation with Hacksclusive.
    When you make use of the Platform and the Hacksclusive Services, Hacksclusive processes the personal data which you have transmitted to us by email, the contact form on the Website, during consultations or in another manner. We process the following personal data:
    First name, last name, email address, company name, phone number, function, country.

  • Transmission of data outside the European Economic Area
    Any possible personal data we process as a result of the survey mentioned under 3 sub b can, in some cases, be transmitted outside the European Economic Area (“​EEA”) because it may be necessary for the delivery of our Services (also see in the following under 8, Third Parties). The (personal) data mentioned under 3 sub b we obtain as a result of the use of the Application are not provided outside the EEA.

What is the purpose of processing  personal data 
  • Optimisation Website, Platform, Services, and provision of information
    The information which the Website and/or the Platform automatically stores and generates of you (see for this under 3 sub a and sub b) is used by us to further optimize the organisation of our Website, Platform, and Services and to improve the provision of information concerning, but also to prevent fraud. In addition, during the use of the Website and/or the Service, cookies are placed on your computer, smartphone, or tablet. We would like to refer you to our cookie statement https://app.hacksclusive.com/cookies for more information which we collect on you when using the Website.

  • Implementation of the agreement between you and Hacksclusive 

    For the implementation of the agreement between you and Hacksclusive, Hacksclusive, in any case, needs your contact and invoicing information, besides being required in many cases to process other personal data as well, depending on the type of Service you purchase from Hacksclusive.

    • Maintaining contact with you. If you request information from Hacksclusive, Hacksclusive processes the personal data provided to comply with that request and/or to answer your questions.

    • Other purposes for the use of personal data: Personal data is only used for audits and assessments.

What are the grounds for processing personal data?

The personal data is only processed if one of the following conditions (grounds) has been complied with:

  • you have given your consent for it;

  • it is necessary for the implementation of an agreement to which you are a party;

  • it is necessary to comply with a legal obligation which Hacksclusive is subject to;

  • it is necessary to protect the vital interests of you or of another natural person (these grounds are not rare);

  • it is necessary to defend the legitimate interests of Hacksclusive, for instance, to protect the security or integrity of our “Service” or a third party, except in the event that your interests or basic rights and fundamental freedoms outweigh the interests of Hacksclusive and/or the third party.

  • it is necessary to protect the vital interests of you or of another natural person (these grounds are not rare);

  • it is necessary to defend the legitimate interests of Hacksclusive, for instance, to protect the security or integrity of our “Service” or a third party, except in the event that your interests or basic rights and fundamental freedoms outweigh the interests of Hacksclusive and/or the third party.

How does Hacksclusive manage the security of personal data?

The security of your personal data is our top priority. Our team consists of a great number of security experts who are constantly assessing and improving the manner in which we collect, process, and store your personal data. Hacksclusive has taken physical, organisational and technical measures to assure the security of our customers. Hacksclusive observes a security level for processing personal data, which, within the possibilities of current techniques, is sufficient to prevent unauthorised access, modification, publication, or loss of your personal data. The security measures taken by Hacksclusive are based on ISO/IEC 27002 (2022) and the security guideline NCSC (2015). The most important (security) measures of Hacksclusive are:

  • The data security policy, in which specific attention is also dedicated to data classification, the granting of access, and the control of vulnerabilities;

  • The appointment of a Privacy lead. The Privacy lead collaborates closely with the Technical lead. The Privacy lead and Techincal lead are responsible for, amongst other things, the attribution of authorisations for access to sensitive customer information, securing back-ups, registering and handling incidents and monitoring compliance with the security policy.

  • The screening of staff prior to possible employment. Furthermore, every five years, all employees and contractors require a certificate of good behaviour. In addition, partners sign a non-disclosure statement.

  • The application of information classification, that is, a distinction will be made in the provision of information to the Hacksclusive-Team. The most important principles of information classification are elaborated below:

    • All sensitive information regarding customers' security risks is shared inside the Platform. The Platform can be secured by way of two-factor​ authentication. The Hacksclusive-Team and the customers themselves must set this authentication.

    • The Business, Sales and Operations leads are the only people at Hacksclusive to have access to customer contracts and associated matters.

    • All other files, such as personnel documents and email traffic in the online environment of Hacksclusive, are also secured by access authorisations. The Business lead gives authorisations to the Hacksclusive-Team.

  • Having a policy for network protection. There is an internal network at the office; on this internal network, sensitive information is handled. This network is not accessible from the outside, as it is password-secured.

  • The application of a ‘clear screen’ and ‘clean desk’ policy means that the Hacksclusive-Team is obliged when leaving their workstation to lock their PC or laptop. The workstation must be left behind clean and tidy when leaving the building.

  • Having a policy in place for the physical security of both access and environment. The office of Hacksclusive is protected against invaders by way of (electronic) locks. The office area is closed, and an electronic key must be used to gain access.

  • The policy for security incidents. Future incidents are registered in the internal incident register. The Data protection lead becomes responsible for the registration and timely handling of the incidents. After handling the incident, it will be evaluated, and appropriate improvement measures will be taken.

  • We have also implemented response procedures. If Hacksclusive were to face a data leak, our Data protection lead will be informed of the data leak. If the nature, severity, and extent of the data leak require such, the data subjects will be informed accordingly within 48 hours, and Hacksclusive will make a report to the monitoring agency Autoriteit Persoonsgegevens within 72 hours. When reporting the data leak, we indicate information and facts regarding the data leak. We indicate in addition to which category the data subjects were and additional information so the report can be treated with due care.

  • Our database with customer information is saved digitally. The database is only accessible to authorised members of the Hacksclusive-Team.

  • Our Wi-Fi network is protected with Radius. This means members of the Hacksclusive-Team need a certificate, username, and password to access the network. 

What are your rights?

You have the right to peruse your personal data, to have it corrected, supplemented, modified, or even removed. For some personal data, it could be that Hacksclusive is legally obliged to keep it. To this personal data, it applies that Hacksclusive cannot modify and/or remove it on your request.
We ask you to mail such requests to: privacy@hacksclusive.com​.​ We will take your request into consideration as soon as possible, with a final term of four weeks. If you submit a request, we ask for a copy of your ID so that we can verify your identity against the requested information. We want to ask you emphatically to black out the social security number on the copy of the ID. Because we may not process social security numbers without being legally obliged to do so. Could you indicate in the email you send us regarding the request that you have blacked out the social security number on the copy of the ID? Take into account besides that, after we have modified or removed your personal data on your request, it may be that this information will still be available for a while in our back-ups until these back-ups are deleted as well. If you have deregistered, we will keep the deregistration (that is, not the personal data themselves) for 5 years after deregistration.

In some cases, you also have the right to obtain your personal data, which you have provided Hacksclusive with, in a structured, customary, and machine-readable form, and you have the right to transfer this data if the processing by Hacksclusive takes place in the manner to which in the applicable legislation and regulations the transferability of data has been assigned.

To exercise the rights mentioned in the preceding, you can send an email to privacy@hacksclusive.com.

How does Hacksclusive manage cookies?

Cookies are files with a tiny quantity of data. “Cookies” are sent from your website to your browser and stored on the hard disk of your computer. We use "Cookies" to collect information. You can order your browser to refuse “Cookies” or use your browser to see how long “Cookies” are stored.
We can also collect information that your browser sends when you visit our “Service” ("Log-data​").​ This log-data can contain information such as the internet protocol address ("IP​")​ of your computer, browser type, browser version, the pages of our service you visit, the time and the date of your visit, the time spent on those pages, and other statistics.

How does Hacksclusive manage the processing of personal data by Third parties?

We will not transmit your personal data to third parties without your consent unless:

  • It is necessary in the context of negotiations on, the conclusion of, and the implementation of the assignment agreement between you and Hacksclusive; and/or
  • It is necessary to offer the Service to you;
  • Hacksclusive, on the grounds of a legal obligation or in an emergency, is obligated to transmit the personal data to government agencies, such as in the event a court order imposes the obligation of providing personal data to third parties. Exclusively the data we are obliged to provide will be furnished;
  • Hacksclusive organises a training or event with a third party, in which case exclusively your contact information will be shared with a third party;
  • A reorganisation or transfer of business activities takes place at Hacksclusive with the result that Hacksclusive must transfer personal data to another organisation.

For the provision of services, we deploy the Hacksclusive-Team to implement and facilitate our Platform and Services, to provide Service-related services or to help us with the analysis of the manner in which our Service is used. The Hacksclusive-Team only has access to your personal information on a need-to-know basis. In addition, they may be able to see the personal data of your customers. We deem it necessary that these parties see the personal data so as to be able to provide the Services to you. We commit ourselves and are obliged not to disclose this personal data nor to use it for other purposes. We conclude agreements with the parties deployed by us in which we oblige these parties to maintain secrecy and to process personal data to offer the Services to you exclusively. Our server is in the EEA, and the Platform and its (encoded) database are hosted within the EEA. 

How does Hacksclusive manage international transfer of personal data?

Your information, including personal information, can be transferred to – and maintained on – computers outside your state, province, land, or other jurisdiction of the government where legislation regarding data protection may be different from that in your jurisdiction. If you are located outside the EEA and you choose to provide us with information, please take into account that we transfer the information, including personal information, to the EEA where we will process it.

By using the Website and/or the Service outside the EEA, followed by the submittal of such information, you indicate your approval of the international transfer.

To what extent is the privacy statement of Hacksclusive applicable to third parties?

The privacy statement of Hacksclusive does not apply to websites and/or applications of third parties, not either in case Hacksclusive has placed a hyperlink or connection on its Website to these other websites. It may happen that upon the use of our Platform by way of links to other websites you are conducted to websites which are not managed by us. These links to websites will then be included in the reports of researchers. If you choose to click on this link, you will be conducted to that third party's website. Hacksclusive does not accept any responsibility and liability with regard to the manner in which these third parties handle personal data and cookies. We advise you to take cognizance of those websites' privacy and cookie statements before you visit them.

How does Hacksclusive manage the processing of personal data by Third parties?

Hacksclusive deploys third parties to process your personal data. These third parties (processors) process your personal data exclusively within our assignment, and we conclude processor agreements with these third parties which are compliant with the requirements of GDPR (or its Netherlands ratification AVG). This regards, amongst other things, companies and/or persons involved in the Application and the Services (‘developers’) or service providers which provide hosting services. In addition, our accountant processes personal data.

How long does Hacksclusive store personal data?

Your personal data is kept for as long as it is necessary for the realisation of the purposes, as mentioned in article 4 of this privacy statement. After the (legal and/or regulatory) retention period, your personal data is destroyed.

Hacksclusive keeps the reports of the researchers for 2 years after the reports have been drawn up. We keep the customer information for a period of 5 years after the end of the agreement or termination of the provision of services. This term is necessary for defence in case of a claim on Hacksclusive. The customer base is protected by way of the security measures as stipulated in article 6 of this privacy policy.

The above retention period does not apply in case Hacksclusive is subject to a legal obligation to keep the personal data any longer.

How does Hacksclusive manage the privacy of children?

We do not aim our services at children under 18, so our service does not regard minors. We do not deliberately collect personal, identifiable information on minors. Please contact us if you are a parent or guardian and know that your children have provided us with personal data. If we become aware that we have collected personal information on a child younger than 13 without the parent’s consent, we take action to remove the information from our servers.

If you have questions about our privacy statement, contact our Privacy lead at:

Attn: Privacy lead
Hacksclusive B.V.
Lübeckweg 2
9723 HE Groningen
The Netherlands
Email: privacy@hacksclusive.com 

Modifications

We reserve ourselves the right to modify the privacy statement at all times, for example, because legislation or regulations change. The most recent can always be found on the Website and in the Application. If and when the privacy statement is comprehensively reviewed, we report this on the Website. You are advised to regularly check this privacy statement for any possible changes. Modifications to this privacy statement are effective when they are published on this page.

If you have questions, comments and/or complaints in general or about/regarding our privacy statement, you can contact the monitoring agency of ‘Autoriteit Persoonsgegevens’ at: https://autoriteitpersoonsgegevens.nl/en.