Privacy Policy
OpSec Group (“OpSec”) respects the privacy of individuals, and we recognize the need and our responsibilities to ensure appropriate protection and management of the personal information you share with us. We are a global organization, however, we operate in compliance with the European General Data Protection Regulation (GDPR) and Data Protection Act UK and apply such principles and controls worldwide.
Summary
- We keep to a minimum the information we hold about you.
- We use your data to provide our services to you, meet our legal obligations, and improve our website.
- We delete your data when it is no longer needed for these things.
- Generally, we do not give your information to third parties, but there are some exceptions – details of which are outlined below under the ‘third parties’ section
- You have significant privacy rights.
- We take security seriously.
- We do not record telephone calls.
- We will not share your information with any other company or organization unless required to by law.
- We will not sell your information.
- By visiting www.opsecsecurity.com, you are accepting and consenting our Terms of Use.
- Your data may be held or processed outside the EEA (See Below for Definition of EEA)
- We use website cookies.
- We are happy to answer your questions about any of this.
Want more detail?
To see more about how we use your personal data, read the notice or notices which apply best to your relationship with us below.
This website may contain links to third party sites. The policies and procedures we described here do not apply to those sites. We suggest contacting those sites directly for information on their privacy, security, data collection, and distribution policies.
ICO registration
OpSec Security Ltd is registered with the Information Commissioner’s Office (ZA346412).
Your rights
You have the following rights regarding your privacy and your personal data:
- To be informed and understand how your data will be used, secured and managed and for what purpose.
- To access the personal data we hold about you and understand how we process it.
- To have your data kept accurately and up to date and to be disposed of securely when no longer required.
- In some circumstances, restrict our processing of your data, and or to request we erase your personal data where this is appropriate.
- To object to our processing or withdraw previously given consent.
Not all rights will apply to all processing, however, if you want to exercise any of these rights, please contact us. If you have concerns or a complaint about how we handle your data please contact us and we will try to resolve the issue. If you remain unhappy how we have resolved your concern or complaint you have the right to contact the Information Commissioner’s Office for an independent review.
Get in touch
If you have any questions or concerns about this Privacy Statement or how we handle your personal data please contact us
- Chief Information Systems Officer at 40 Phoenix Road, Washington, Tyne & Wear NE38 0AD, UK
- +44 0191 417 5434 (we do not record our calls)
- data.protection@opsecsecurity.com
Security
We use data encryption extensively on our computers, mobile phones, and tablets, and utilize encrypted data communications based on recognized security standards whenever possible. Our preference is to use Transport Layer Security (TLS) to secure email communications using encryption; however, we recognize some of you may not. We, therefore, run opportunistic TLS meaning if you also use it our communications will be encrypted and secure by default. If you do not use TLS, communications with us will continue but will not be encrypted and may not be entirely secure when passing over the internet. If you want to protect all emails and attached documents you send to us, we encourage you to set up opportunistic TLS also. Our online systems require unique logins and complex passwords and use SSL site encryption to secure web pages. Phone calls are not encrypted or recorded. If you have particular security requirements, please contact us to discuss how we can support you.
Retention
Data about customers or their clients: Duration of your relationship with us, then six years Financial data: Kept for a minimum 6 years but may be retained for the length of the client relationship, then 6 years if appropriate. Client ID verification: Duration of our relationship with us, then six years Data about specific matters: Duration of the matter, then six years Supplier contact details: As long as we have a relationship with you or think we might want to buy products or services from you, or for the duration of a dispute with you. Further detail on specific retention periods can be provided on request.
Your data and the EEA
We do hold and process customer data in USA, Caribbean, and Hong Kong which are outside the EEA. Our main data center resides in the USA with AWS and in a hosted data center with the Markley Group with all devices managed directly by OpSec staff in the UK. We ensure data is secure and our suppliers adhere to strict information security and privacy requirements in line with GDPR and UK Data Protection legislation. As a company, we apply GDPR and UK Data Protection legislation principles to our whole organization.
Third parties
We will not transfer your personal data to third parties for their use or purpose without your permission, except in the following circumstances:
- If required to by law or court order
- If you do not pay your bills, we may choose to engage a third party to recover any money you owe us.
We do have a small number of companies providing services to us and they process your data on our behalf:
- Microsoft Azure in the USA – Hosted IT services for our Insight platform.
- Amazon Web Services in the USA – Hosted IT services
- Markley Group in the USA – Hosted Boston data center.
- Microsoft in the USA – Hosted email services.
- Salesforce in the USA – Hosted Customer Relationship Management System.
- Various Accountants and Lawyers in each geographic area.
Clients Privacy Information
What data we hold
As our client, we will hold the following information about you:
- Your name, job role and contact information
- Information about your business activities and, in some cases your customers
- Information and documents about your matters or inquiries, including communications with you
- Billing and payment information
- In some cases, personal identification, vetting information.
We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.
Using your information
Providing you security product or services
We use the information we hold about you and your business both personal and otherwise to provide the best service we can, to communicate with you regarding the service or products we are providing or to inform you of other related products or services you may be interested in. We also use your information to bill you and keep track of payments.
GDPR Legal
Basis for processing:
- Art. 6(a) Consent if you have asked us to provide you with information on a product and service and provided us with your details.
- Art. 6(b) Contractual requirement to fulfill our contracts with you and communicate with you regarding that contract.
- Art 6(f) Legitimate interests of OpSec to generate business by maintaining contacts, generating proposals and communicating with clients regarding their requirements and making you aware of other related products and services you may be interested in (Marketing); however you can object to this at any time and we will add you to our suppression list and cease sending you such Marketing Communications, you may still receive service communications. If the need arises we may also rely on legitimate interests for the recovery of unpaid debts.
ID checks
We may need to carry out identity checks on senior persons in your organization as part of setup and maintenance of our working arrangements with you. We retain identity verification information for as long as you are our client, and then seven years.
GDPR Legal Basis for processing:
- Art. 6(c): Legal obligation where we have to do this processing to comply with legal and regulatory obligations.
- Art 6(f): Legitimate interests where it is in OpSec’s interests to ensure legitimate business practices and to validate the identity of our customers.
Technical data
We may use the logs from our servers to assist in our firm’s security, as well as to determine website visitor behavior and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our customer’s needs.
GDPR Legal Basis for processing:
- Art. 6(f): Legitimate interests where it is in the business interests of OpSec to gather data to aid business strategy planning.
Prospective Clients
What data we hold
If you contact us, we will hold the following information about you:
- Your name, identity and contact information
- Information about your business activities
- Information and documents about your inquiries, including communications with you
We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.
Using your information
Providing advice and information regarding our products and services
If you get in touch looking for information about our products and services we may do some research to understand more about you and what you do. Usually, this means reading up on your products or services, how you position yourself in the market, what you display on your public-facing websites and social media presence, and so on. This helps us work out how best we can help you.
GDPR Legal Basis for processing
- Art. 6(a) Consent if you have asked us to provide you with information on a product and service and provided us with your details.
- Art 6(f) Legitimate interests of OpSec to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information we may send you information about related products and services we offer, however you can opt out at any time.
ID checks
We may need to carry out identity checks on senior persons in your organization as part of setup and maintenance of our working arrangements with you. We retain identity verification information for as long as you are our client, and then seven years.
GDPR Legal Basis for processing:
- Art. 6(c): Legal obligation where we have to do this processing to comply with legal and regulatory obligations.
- Art 6(f): Legitimate interests where it is in OpSec’s interests to ensure legitimate business practices and to validate the identity of our customers.
Dealing with inquiries
If you give us a ring or make contact by email, we will follow up on your inquiry and see if there is a way in which we can help you. We keep a record of enquiries received, to help us plan our business strategy and check that we are offering what potential clients want.
GDPR Legal Basis for processing
- Art. 6(a) Consent if you have asked us to provide you with information on a product and service and provided us with your details.
- Art 6(f) Legitimate interests of OpSec to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information we may send you information about related products and services we offer, however you can object to this at any time and we will add you to our suppression list and cease sending you such Marketing Communications.
Technical data
We may use the logs from our servers to assist in our firm’s security, as well as to determine website visitor behavior and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective customer’s needs.
GDPR Legal Basis for processing:
- Art. 6(f): Legitimate interests where it is in the business interests of OpSec to gather data to aid business strategy planning.
Prospective Employees
What data we hold
If you contact us to apply for employment, we will hold the following information about you:
- Your name and contact information
- Resume including qualifications, education and previous experience and employers and your referees contact details, as well as anything else you choose to tell us.
If you submit electronically we may also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.
Using your information
Considering your application for Employment
We will use your resume or any information you or a recruitment agency provide to us to consider you for employment. If you are unsuccessful we will retain this information for 6 months after the recruitment exercise has ended and then they will be securely destroyed. If you are employed these will become part of your personnel file.
GDPR Legal Basis for processing
- Art. 6(a) Consent if you have applied for employment, we will use these to consider your application.
- Art 6(f) Legitimate interests of OpSec to securely and fairly manage recruitment to ensure we employ the right people for our company and we will use your details to make the appropriate checks.
ID Vetting checks
If you are offered a job we will need to carry out verification check on you. We retain identity verification information for as long as you are an employee, and then seven years.
GDPR Legal Basis for processing:
- Art. 6(a) Consent for external vetting checks.
- Art. 6(c): Legal obligation where we have to do this processing to comply with legal and regulatory obligations.
- Art 6(f): Legitimate interests where it is in OpSec’s interests to ensure prospective employees are appropriately vetted.
Technical data
We may use the logs from our servers to assist in our firm’s security, as well as to determine website visitor behavior and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective customer’s needs.
GDPR Legal Basis for processing:
- Art. 6(f): Legitimate interests where it is in the business interests of OpSec to gather data to aid business strategy planning.
Website Visitors
Summary
What data we hold
We generate log files from various servers: This will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.
We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.
We gather cookie information to monitor the use of our site and to improve our services to you If you choose to use our contact us page we will also gather your name and contact details so we can respond to you.
Using your information
Dealing with inquiries
If you have requested information via our website e.g. Our ‘Contact Us Page’, we will follow up on your inquiry and see if there is a way in which we can help you. We keep a record of inquiries received, to help us plan our business strategy and check that we are offering what potential clients want. We may also use your contact details to inform you of related products or services you may be interested in, however, you can opt-out at any time.
GDPR Legal Basis for processing:
- Art. 6(a) Consent if you have asked us to provide you with information on a product and service and provided us with your details.
- Art 6(f) Legitimate interests of OpSec to generate business by maintaining contacts, generating proposals and communicating with prospective clients regarding their requirements. If you have previously requested information we may send you information about related products and services we offer (Marketing); however, you can object to this at any time and we will add you to our suppression list and cease sending you such Marketing Communications.
Use of cookies on the website
When someone visits our website we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behavior patterns. We do this to find out things such as the number of visitors to the various parts of the site. We also use this information for advertising and marketing purposes.
Please manage your cookies here.
Cookies are small files that the site places on your hard drive for identification purposes, cookies cannot read data off of your hard drive. We use cookies to elevate your user experience and the quality of our site and service. These files are used for site registration and customization the next time you visit us. Your web browser may allow you to be notified when you are receiving a cookie, giving you the choice to accept it or not. By not accepting cookies, some pages may not fully function and you may not be able to access certain information on this site. You can also refuse all cookies by turning them off in your browser. You do not need to have cookies turned on to use any area of our website. This website may be configured to collect domain information as part of our analysis of the use of this site. This data enables us to become more familiar with which users visit our site, how often they visit and what parts of the site they visit most often. OpSec uses this information to improve our website. This information is collected automatically and requires no action on your part.
We may use third-party services such as Google Analytics, to collect user information and to help improve site functionality. Some third-party services collect aggregated non-personal information, such as the information sent by a browser as part of a web page request, IP addresses, time and duration of website visits, and/or how you found our website, such as via a search engine or social media. Other third-party services may combine your personal information that you provided to us, with cookies or other website tracking mechanisms. These services may be used to gather information, allowing us to provide you with more information about certain products or services in which you might be interested.
Recent versions of many Internet browsers have incorporated a Do Not Track (DNT) feature, and when turned on, the DNT sends a signal to the website, telling the website that you do not want to be tracked while browsing. Websites may differ in how they respond to the DNT signals. Thus, many cookies may continue to be stored until you choose to delete them.
GDPR Legal Basis for processing:
- Art. 6(f): Legitimate interests where it is in the business interests of OpSec to secure our IT infrastructure, monitor use of our website, improve the services we offer and gather data to aid business strategy planning and for advertising and marketing.
Technical data
We may use the logs from our servers to assist in our firm’s security, as well as to determine website visitor behavior and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective customer’s needs.
GDPR Legal Basis for processing:
- Art. 6(f): Legitimate interests where it is in the business interests of OpSec to gather data to aid business strategy planning.
Other
What data we hold
We may hold the following information about you:
- Your name, job role, company you work for and contact information
We also generate log files from various servers: this will include an IP address assigned to you or, more likely, to someone who provides you with Internet access.
Using your information
Dealing with your inquiry
If you call OpSec or make contact by email, we will follow up on your inquiry and see if there is a way in which we can help you. We keep a record of inquiries received, so that we know what we have said to whom.
GDPR Legal Basis for processing:
- Art. 6(b): Contractual Requirement where we need to process your data to fulfill your contract with us or you and communicate with you regarding that contract.
- Art. 6(f): Legitimate Interests where we need to maintain records of our business relationship in order to provide you with appropriate services and identify future areas we may be able to assist you with. Or if you are a supplier to ensure we can pay you.
Managing our relationship with you
We will use your data to manage our relationship with you, including any inquiries about our products and services.
GDPR Legal Basis processing:
- Art. 6(b): Contractual Requirement where we are obligated by our contract with you to manage our business relationship in order to fulfill the contracts.
- Art. 6(f): Legitimate Interests of OpSec to manage an ongoing relationship with our suppliers, partners, generate future business or recover a debt.
Keeping you informed of related products or services (Marketing)
From time to time we may contact you to make you aware or keep you up to date regarding our products or services. You can object to this at any time and we will add you to our suppression list and cease sending you such Marketing Communications, you may still receive service communications.
GDPR Legal Basis for processing:
- Art 6(a): Consent: where you have requested information or consented to us sending you such communications.
- Art. 6(b): Contractual requirement where we need to keep you informed about the products and services you receive.
- Art 6(f): Legitimate interests where it is in OpSec’s or the clients benefit to be kept informed of related products or services where there is an established business relationship existing; without compromising the individual’s privacy.
Technical Data
We may use the logs from our servers to assist in our firm’s security, as well as to determine website visitor behavior and help us plan our business strategy, this helps us tailor our services and ensure they are relevant to our prospective customer’s needs.
GDPR Legal Basis for processing:
- Art. 6(f): Legitimate interests where it is in the business interests of OpSec to gather data to aid business strategy planning.
California Consumer Privacy Act of 2018 (“CCPA”)
As we are a global organization and in the event that we serve certain natural persons in the State of California, we also operate in compliance with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CCPA). When we use the term “personal information” in this statement, we are using that term as the CCPA defines it generally as “personal information” to mean information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. However, personal information does not include publicly available, deidentified, or aggregate consumer information. Notably, the definition of “personal information” also does not apply to the collection of personal information from job applicants, employees – whether you are our employee or any employee of the entity arranging access to our Services for you, business owners, directors, officers, medical staff, or contractors.
Categories, sources, and purposes of the personal information that we may collect and who we share it with
In the event that we act as a “business” under CCPA we may be required to disclose additional information regarding the categories of personal information we collect, the sources where we obtain that information, the purposes for why we collect that information, who we share that information with. For example, we may collect personal identifying information such as name, address, email address, and commercial relationship and internet related information. We may obtain such information directly from you when you use our services or interact with us or indirectly through cookies and similar technologies included in our services; from the organizations to which you belong, e.g. your employer or affiliated institution with may provide us with contact information so that we can set up your login; or our partners and service providers. We may use or disclose your personal information for one or more of the business purposes such as, providing services to you, developing services for you, marketing services to you, collecting funds from you or to carry out other reasonable business purposes.
We may share your personal information with third party service providers such as cloud storage providers or professional services providers and our affiliates and business partners, other customers (if agreed) and government agencies (if required). We do not sell your personal information as defined under the CCPA.
Your CCPA privacy rights
If you are a resident of California and are not a job applicant, employee/contractor, or employee/contractor of another company interacting with us in your job role, you have the right to request what information we collect, use, and disclose. You also have the right to request that we delete your information. To make such a request, you can contact us through our data protection department at data.protection@opsecsecurity.com or +44 0191 417 5434. Provide us enough information to verify your identity. We will use that information to verify your request. If we cannot initially verify your identity, we may request additional information to complete the verification process, such as, for example, a copy of your driver’s license and/or a recent utility or credit card bill. You can designate an agent to make a request on your behalf by either: (1) having your agent send us a letter, signed by you, certifying that the agent is acting on your behalf and showing proof that they are registered with the California Secretary of State; or (2) by you and the agent executing and sending us a notarized power of attorney stating that the agent is authorized to act on your behalf. Please note that we may still require you to verify your identity before we process a request submitted by your agent.
California residents have the right to opt out of the sale of their personal information by contacting data protection at +44 0191 417 5434 or data.protection@opsecsecurity.com. We will not discriminate against you because you have exercised any of your privacy rights under the CCPA.