Privacy Policy

ARTICLE 1: INTRODUCTION

1.1 Who We Are

Cipher Knights Ltd (trading as Shift Cova) is a cyber security and software development company registered in England and Wales (Company Number: 14789012) with its registered address at Flat 9, 20 Calais Hill, Leicester, LE1 6FF, United Kingdom, and also registered in Nigeria (RC Number: 1789456) with its registered address at 45 Marina Street, Lagos Island, Lagos, Nigeria.

Throughout this Privacy Policy, "we", "us", "our", and "Shift Cova" refer to Cipher Knights Ltd and its subsidiaries and affiliates.

1.2 Our Commitment

We are committed to protecting and respecting your privacy and personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website www.shiftcova.com (the "Website") or use our Shift Cova platform, mobile applications, and related services (collectively, the "Platform" or "Services").

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and all other applicable data protection laws and regulations.

1.3 Who This Policy Applies To

This Privacy Policy applies to the following categories of individuals ("data subjects"):

• Clients: Companies, organisations, and individuals that register for a Shift Cova account and subscribe to our Services.
• Authorised Users: Employees, workers, agents, consultants, and contractors of our Clients who are authorised to access and use the Platform on behalf of the Client.
• Staff Members: Employees, workers, and contractors of our Clients whose personal data is processed within the Platform for HR management, payroll processing, shift scheduling, compliance tracking, and related purposes.
• Job Applicants: Individuals who submit job applications through the Platform or otherwise apply for positions with our Clients.
• Visitors: Individuals who visit our Clients' facilities and are registered through our Visitor Management module.
• Website Visitors: Individuals who browse our public website or interact with us online.
• Business Contacts: Individuals who communicate with us for business purposes, including potential clients, partners, and vendors.

1.4 Data Controller vs. Data Processor

It is important to understand our role and your role regarding personal data:

As a Data Processor, we process personal data only on behalf of and in accordance with the instructions of our Clients (the Data Controllers). Our contractual obligations as a Processor are set out in our Data Processing Agreement (DPA), which is incorporated into our Terms of Service and available upon request.

1.5 Acceptance of Terms

By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with our policies and practices, you must not access or use our Services.

ARTICLE 2: DEFINITIONS

To help you understand this Privacy Policy, here are definitions of key terms used throughout:

• "Personal Data" means any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• "Data Processor" means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
• "Special Category Data" refers to more sensitive personal data requiring extra protection under the UK GDPR, including information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
• "Criminal Conviction Data" means personal data relating to criminal convictions and offences, or related security measures (such as DBS checks).
• "Client Data" means all personal data uploaded to the Platform by our Clients about their staff, applicants, visitors, or other individuals.
• "Data Subject" means the identified or identifiable living individual to whom personal data relates.
• "Data Protection Legislation" means all applicable laws and regulations relating to the processing of personal data and privacy, including but not limited to: (i) the UK General Data Protection Regulation (UK GDPR); (ii) the Data Protection Act 2018; (iii) the Privacy and Electronic Communications (EC Directive) Regulations 2003; (iv) any implementing or successor legislation; (v) any guidance or codes of practice issued by the Information Commissioner's Office; (vi) where applicable, the EU General Data Protection Regulation (EU GDPR); and (vii) any other applicable data protection laws in any jurisdiction where we operate.
• "ICO" means the Information Commissioner's Office, the UK's independent regulator for data protection.
• "Biometric Data" means personal data resulting from specific technical processing relating to the physical, physiological, or behavioural characteristics of a natural person, which allows or confirms the unique identification of that natural person, such as facial images or fingerprints.
• "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.

ARTICLE 3: WHO WE ARE AND CONTACT DETAILS

3.1 Data Controller (for your account information and website data)

For personal data we collect directly from you as a Client, Authorised User, or Website Visitor (where we determine the purposes and means of processing), the Data Controller is:

3.2 Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our compliance with data protection laws and to handle all inquiries regarding this Privacy Policy and our data processing activities. You can contact our DPO at:

3.3 UK Representative (for EU data subjects)

If you are located in the European Economic Area (EEA) and have concerns about our data processing, you may contact our UK representative at the address above or by email at eu-rep@cipherknights.com.

3.4 Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

ARTICLE 4: TYPES OF INFORMATION WE COLLECT

We collect and process different categories of personal data depending on your relationship with us and your use of the Platform. The categories of personal data we may collect include:

4.1 Information Collected from Clients and Authorised Users

When you register for an account, subscribe to our Services, or use the Platform as an Authorised User, we may collect:

4.1.1 Identity Data

• First name, last name, and title (Mr, Mrs, Ms, Dr, etc.)
• Username or similar identifier
• Date of birth (where required for identity verification)
• Gender (optional, for diversity monitoring where applicable)
• National Insurance number (for payroll clients)
• Passport number or other government-issued ID (for verification purposes)
• Signature (including digital signatures for agreements)

4.1.2 Contact Data

• Business email address
• Personal email address (where provided)
• Business telephone number
• Mobile telephone number
• Business address
• Billing address
• Emergency contact details (where provided)

4.1.3 Professional and Employment Data

• Job title and position
• Department and team
• Role and responsibilities
• Employment history
• Qualifications and certifications
• Skills and competencies
• Professional memberships and registrations (e.g., NMC number for nurses)
• Training records
• Performance reviews and feedback
• Reporting relationships (manager, direct reports)
• Employment type (full-time, part-time, contractor, agency)
• Hire date and, where applicable, termination date

4.1.4 Financial Data

• Bank account details (account number, sort code)
• Payment card information (processed by our payment processors, not stored by us)
• Tax codes and tax-related information
• Salary and hourly rates
• Bonus and commission information
• Pension enrolment status and contribution details
• Student loan deduction information
• Expense reimbursement details

4.1.5 Technical Data

• Internet Protocol (IP) address
• Login data and authentication credentials
• Browser type and version
• Device type and operating system
• Time zone setting and location data
• Browser plug-in types and versions
• Screen resolution and colour depth
• Language preferences
• Cookies and similar tracking technologies (see our Cookie Policy for details)

4.1.6 Usage Data

• Features accessed and frequency of use
• Time spent on different sections of the Platform
• Clickstream data and navigation paths
• Search queries and results viewed
• Actions taken within the Platform (e.g., creating shifts, processing payroll)
• Error logs and performance data
• Customer support interactions and communications

4.1.7 Profile Data

• Username and password
• Preferences and settings
• Feedback and survey responses
• Communications preferences

4.2 Information Collected about Staff Members

When our Clients (your employers or contracting organisations) use Shift Cova to manage their workforce, they may upload the following categories of personal data about their staff members:

4.2.1 Identity Data

• Full name (first name, last name, middle names)
• Date of birth
• Gender
• Marital status (for payroll purposes)
• Photographs (including profile pictures uploaded by the Client)
• National Insurance number

4.2.2 Contact Data

• Personal email address
• Personal phone number
• Home address and postcode
• Emergency contact name, relationship, and phone number
• Next of kin information

4.2.3 Employment Data

• Staff ID or employee number
• Employment type (full-time, part-time, casual, agency, contract)
• Hire date and (where applicable) termination date
• Job title and position
• Department and team
• Reporting relationships (manager, supervisor)
• Work location (e.g., care home, office)
• Employment history and previous roles
• Qualifications, certifications, and professional registrations
• Skills and competencies
• Training records and completion status
• Performance reviews and appraisal notes
• Disciplinary records and warnings (where applicable)
• Grievance records
• Absence records and reasons for absence
• Return-to-work interviews

4.2.4 Financial and Payroll Data

• Bank account details (account number, sort code)
• Tax code and tax-related information
• Salary, hourly rate, and overtime rates
• Bonus, commission, and other payments
• Pension enrolment status and contribution percentages
• Student loan deductions
• Childcare voucher or salary sacrifice information
• Payroll history and payslip data
• Expense claims and reimbursements

4.2.5 Time and Attendance Data

• Shift schedules and assignments
• Clock-in and clock-out times
• Geolocation data when clocking in/out via mobile device
• Biometric data (facial recognition) for clock-in/out where enabled by Client
• Overtime hours and calculations
• Leave requests (annual leave, sick leave, parental leave, etc.)
• Leave approvals and balances
• Absence records and reasons
• Holiday accruals and carry-over

4.2.6 Compliance Data

• Right to Work documentation (passport copies, visa details, work permits)
• Right to Work expiry dates and verification status
• DBS check certificates and certificate numbers
• DBS issue and expiry dates
• Professional registration numbers and expiry dates (e.g., NMC, GMC, HCPC)
• Mandatory training completion and expiry dates
• Policy acknowledgments and dates
• Consent records for various processing activities

4.2.7 Special Category Data

(with explicit consent or other lawful basis where required)

• Health Information: Medical questionnaires, disability declarations, reasonable adjustment requests, occupational health reports, sickness absence records and reasons, fitness-to-work assessments, health surveillance data, and any other health information provided for employment purposes.
• Biometric Data: Facial recognition data captured for clock-in/out functionality (where enabled by Client and where consent is obtained).
• Religious or Philosophical Beliefs: Where volunteered for equality monitoring or to accommodate religious observances (e.g., prayer times, religious holidays).
• Trade Union Membership: Where relevant for payroll deductions or employment rights.
• Sexual Orientation or Gender Reassignment: Where volunteered for equality monitoring purposes.
• Racial or Ethnic Origin: Where volunteered for equality monitoring purposes.

4.2.8 Criminal Conviction Data

• DBS check results and disclosures
• Criminal convictions, cautions, warnings, or reprimands (where relevant to employment)
• Pending charges or investigations
• Barred list checks (where applicable for regulated roles)

4.3 Information Collected from Job Applicants

When you apply for a job through the Platform (either directly or through a Client's application portal), we collect:

4.3.1 Application Data

• Name and contact details (email, phone, address)
• Date of birth and place of birth
• CV, resume, and cover letter
• Employment history and references
• Educational background and qualifications
• Professional memberships and certifications
• Skills and competencies
• Position applied for and location preference
• How you heard about the vacancy

4.3.2 Declaration Data

• Criminal conviction declarations
• Health declarations (where relevant to the role)
• Right to work declarations
• Driving license information (where relevant)
• NMC pin or other professional registration numbers

4.3.3 Equal Opportunities Monitoring Data

• Gender, marital status, and age range (where provided)
• Ethnic origin (where provided)
• Disability status (where provided)
• Sexual orientation (where provided)
• Religion or belief (where provided)

This data is collected for diversity monitoring purposes only and is separated from your application data before recruitment decisions are made.

4.3.4 Technical Data

• IP address at time of application (for fraud detection)
• Submission time and date (to detect automated submissions)
• User agent and browser information
• Honeypot field completion (to detect bot submissions)
• Turnstile or CAPTCHA verification data

4.4 Information Collected from Visitors

When you are checked into a Client facility using our Visitor Management module, we collect:

4.4.1 Visitor Identity Data

• Full name
• Company name (if representing an organisation)
• Contact details (email, phone number)
• Photograph (including facial recognition data if enabled)
• ID document type and number (e.g., driving license, passport)
• ID document image (where scanned)
• Vehicle registration number (where applicable)

4.4.2 Visit Data

• Date and time of check-in
• Date and time of check-out
• Host name and department
• Purpose of visit
• Scheduled appointment time and expected duration
• Areas visited and access granted
• Badge number issued
• Digital signature upon check-in (where required)

4.4.3 Health and Safety Data

• Temperature readings (where screening is required)
• Health declaration responses (e.g., symptom checks, COVID-19 screening)
• Consent to health screening
• Emergency contact details

4.4.4 Security Data

• ID document verification status
• Face match confidence scores (where facial recognition used)
• Watchlist or blacklist checks (where applicable)
• Escort requirements and assignments

4.5 Information Collected Automatically (Cookies and Tracking)

When you visit our Website or use our Platform, we automatically collect technical data about your equipment, browsing actions, and patterns using cookies, server logs, and similar technologies. For detailed information about the cookies we use and the purposes for which we use them, please see our separate Cookie Policy.

4.6 Information from Third Parties

We may receive personal data about you from various third parties, including:

• Our Clients: When they upload data about their staff, applicants, or visitors.
• Recruitment Agencies: When they submit applications on behalf of candidates.
• Background Check Providers: Such as DBS checking services, right-to-work verification services.
• References: From former employers or character references provided by applicants.
• Payment Processors: To process subscription payments and verify billing information.
• Analytics Providers: Such as Google Analytics, to analyse usage of our Platform.
• Advertising Networks: To deliver relevant advertising (where you have consented).
• Social Media Platforms: If you interact with our social media pages or log in using social media credentials.
• Publicly Available Sources: Such as Companies House, professional registers, or public social media profiles.

ARTICLE 5: HOW WE COLLECT YOUR INFORMATION

We use different methods to collect data from and about you, including through:

5.1 Direct Interactions

You may give us your Identity, Contact, Financial, and other data by:

• Filling in forms on our Website or Platform (e.g., registration forms, application forms, profile updates).
• Creating an account and subscribing to our Services.
• Uploading Client Data about your staff, applicants, or visitors.
• Submitting a job application through the Platform.
• Checking in as a visitor at a Client facility.
• Corresponding with us by post, phone, email, or live chat.
• Completing surveys or providing feedback.
• Participating in promotions or events.
• Reporting problems with our Platform.

5.2 Automated Technologies or Interactions

As you interact with our Website and Platform, we automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this data by using:

• Cookies: Small text files stored on your device. See our Cookie Policy for details.
• Server Logs: Information about your requests to our servers.
• Web Beacons: Small graphic images used to track user behaviour.
• Analytics Tools: Such as Google Analytics, to analyse usage patterns.
• Device Fingerprinting: To identify your device for security purposes.
• Session Replay Technology: To understand how users interact with our Platform (anonymised).
• Honeypot Fields: Hidden form fields used to detect bot submissions on application forms.

5.3 Third Parties or Publicly Available Sources

We may receive personal data about you from various third parties and public sources as set out below:

5.3.1 Technical Data from the following parties:

• Analytics providers such as Google Analytics, HubSpot, and Mixpanel.
• Advertising networks such as Google Ads, LinkedIn Ads, and Facebook Ads.
• Search information providers such as Google Search Console.
• Infrastructure providers such as Amazon Web Services, Google Cloud Platform.

5.3.2 Identity, Contact, and Financial Data from the following parties:

• Our Clients (when they upload your data as a staff member, applicant, or visitor).
• Recruitment agencies acting on your behalf.
• Payment and delivery service providers such as Stripe, Flutterwave, PayPal.
• Background check providers such as DBS checking services, right-to-work verification services.
• Credit reference agencies (for credit checks, where applicable).
• Fraud prevention agencies.

5.3.3 Publicly Available Sources:

• Companies House (for director information).
• Professional registers (e.g., NMC register, GMC register, HCPC register).
• The Electoral Register.
• Public social media profiles (LinkedIn, Twitter, etc.).
• Court judgments and bankruptcy registers.

ARTICLE 6: HOW WE USE YOUR INFORMATION

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

6.1 To Provide, Operate, and Manage the Platform (Contractual Necessity)

• To register you as a new Client and set up your account.
• To process and deliver your subscription, including managing payments, fees, and charges.
• To provide the core functionality of the Platform, including:
• Staff record management and HR administration.
• Shift scheduling, assignment, and time tracking.
• Payroll processing, including tax and National Insurance calculations.
• Payslip generation and distribution.
• Compliance tracking (DBS checks, right to work, training, certifications).
• Policy management and mandatory acknowledgment tracking.
• Training management and attendance tracking.
• Visitor check-in/out and management.
• Reporting and analytics.
• To manage our relationship with you, including notifying you of changes to our Terms or Privacy Policy.
• To enable you to complete job applications and manage the recruitment process.
• To provide customer support and respond to your inquiries.
• To communicate with you about your account and subscription.

6.2 To Comply with Legal and Regulatory Obligations

• To verify right to work in the UK as required by the Immigration, Asylum and Nationality Act 2006.
• To report payroll data to HMRC under Real Time Information (RTI) requirements.
• To comply with our obligations under the Data Protection Legislation.
• To retain employment and payroll records for the statutory periods required by law (e.g., HMRC requires payroll records to be kept for 3 years; DBS records may need to be kept for specific periods).
• To respond to requests from law enforcement, courts, or regulatory bodies (e.g., HMRC, ICO, CQC, Health and Safety Executive).
• To comply with safeguarding obligations and prevent harm to vulnerable individuals.
• To comply with health and safety regulations (e.g., visitor logs, accident reporting).
• To comply with anti-money laundering regulations and fraud prevention requirements.

6.3 For Our Legitimate Business Interests

We may process your personal data where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Our legitimate interests include:

• To administer and protect our business and the Platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting, and hosting of data).
• To use data analytics to improve our Platform, marketing, customer relationships, and experiences (including A/B testing and user experience research).
• To detect, prevent, and address fraud, security breaches, or other harmful activity (e.g., using submission time and IP address to identify bot applications, monitoring for suspicious access patterns).
• To enforce our Terms of Service and other legal rights.
• To develop new features and improve existing functionality.
• For internal training and quality assurance purposes (e.g., monitoring customer support calls).
• To facilitate business transitions such as mergers, acquisitions, financing, or asset sales.
• To generate anonymized and aggregated data for industry benchmarks and insights.
• To manage and respond to legal claims and disputes.
• To maintain business records and comply with record-keeping obligations.
• To send you service-related communications (e.g., maintenance notices, security alerts).
• To send you marketing communications where we have an existing customer relationship and you have not opted out (you have the right to object at any time).

6.4 With Your Consent

We may process your personal data where you have given your explicit consent for one or more specific purposes:

• To send you direct marketing communications about our products or services that may be of interest (you have the right to withdraw consent at any time).
• To process special category data where required by law (e.g., health data for medical questionnaires) – we will seek your explicit consent where necessary.
• To use biometric data (facial recognition) for clock-in/out or visitor management – we will seek your consent where required by law.
• To place non-essential cookies on your device (see our Cookie Policy).
• To share your information with third parties for their own marketing purposes (we will never do this without your explicit consent).
• To participate in optional surveys or research studies.

6.5 To Protect Vital Interests

In rare circumstances, we may process your personal data where necessary to protect your vital interests or those of another person. This may include sharing information with emergency services or medical professionals in case of a serious incident at a Client facility.

ARTICLE 7: LEGAL BASIS FOR PROCESSING (UK GDPR)

Under the UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the legal bases we rely on for different processing activities:

Note: Where we rely on consent as a legal basis, you have the right to withdraw your consent at any time by contacting us at dpo@cipherknights.com or by using the opt-out mechanisms provided in our communications. Withdrawing consent will not affect the lawfulness of processing based on consent before its withdrawal.

ARTICLE 8: DATA SHARING AND DISCLOSURES

We may share your personal data with the following parties for the purposes set out in this Privacy Policy:

8.1 Within the Cipher Knights Group

We may share your personal data with our subsidiaries, parent company (Cipher Knights Ltd), or affiliated companies, as necessary for internal administrative purposes, to provide the Services, and for the purposes set out in this Privacy Policy. All group companies are bound by data processing agreements and comply with this Privacy Policy.

8.2 Our Clients (for Staff, Applicant, and Visitor Data)

If you are a staff member, job applicant, or visitor, your personal data is processed on behalf of our Client (your employer, prospective employer, or the organisation you are visiting). We will share your data with them and their authorised users as necessary to provide the Services. The Client's own privacy policy will also apply to their use of your data.

Our Clients are responsible for ensuring they have the necessary lawful basis to share your data with us and for providing you with appropriate privacy information.

8.3 Third-Party Service Providers (Data Processors)

We engage trusted third-party companies and individuals to facilitate our Services, perform service-related functions, or assist us in analysing how our Services are used. These third parties have access to your personal data only to perform these tasks on our behalf and are contractually obligated not to disclose or use it for any other purpose. Categories of service providers include:

• Cloud Infrastructure Providers: For hosting and storing data (e.g., Amazon Web Services, Google Cloud Platform, Microsoft Azure).
• Payment Processors: To process subscription payments (e.g., Stripe, Flutterwave, PayPal, GoCardless).
• Email Service Providers: To send notifications, marketing communications, and transactional emails (e.g., SendGrid, Mailchimp, Amazon SES).
• Customer Support Platforms: To manage support tickets and live chat (e.g., Zendesk, Intercom).
• Analytics Providers: To analyse usage of our Platform (e.g., Google Analytics, Mixpanel, Hotjar).
• Background Check Providers: To facilitate DBS checks and right-to-work verification (e.g., GBG, Experian, TrustID).
• Document Management and Signatures: For digital signatures and document storage (e.g., DocuSign, HelloSign).
• Communication Tools: For internal and external communications (e.g., Slack, Microsoft Teams).
• CRM Systems: To manage customer relationships (e.g., Salesforce, HubSpot).
• Fraud Prevention Services: To detect and prevent fraudulent activity.
• Legal and Professional Advisors: Such as lawyers, accountants, and auditors.

A complete and up-to-date list of our sub-processors is available in our Data Processing Agreement (DPA) and may be updated from time to time. You may subscribe to notifications of changes to our sub-processors.

8.4 Legal and Regulatory Authorities

We may disclose your personal data where required to do so by law or in response to valid requests by public authorities (e.g., a court, government agency, law enforcement, HMRC, the Information Commissioner's Office, the Care Quality Commission, the Health and Safety Executive). This includes:

• Complying with a court order, warrant, or other legal process.
• Responding to a request from a regulatory or supervisory authority.
• Complying with tax or reporting obligations.
• Reporting suspected illegal activity or fraud.
• Protecting the rights, property, or safety of Cipher Knights, our Clients, or others.

Where permitted, we will notify you of such disclosure unless providing notice would be prohibited by law or would compromise a law enforcement investigation.

8.5 Business Transfers

If Cipher Knights Ltd or substantially all of its assets are acquired by a third party (whether by merger, acquisition, reorganization, sale of assets, or bankruptcy), personal data held by us about our Clients and users will be one of the transferred assets. We will notify you via email and/or a prominent notice on our Website of any change in ownership or uses of your personal data, as well as any choices you may have regarding your personal data.

8.6 With Your Consent

We may share your information for any other purpose disclosed to you and with your explicit consent.

8.7 Aggregated or Anonymized Data

We may share aggregated or anonymized information that does not directly identify you with third parties for industry analysis, research, marketing, and other purposes. For example, we may share anonymized benchmarks about average shift durations, payroll processing times, or compliance rates across our Client base. This information cannot be used to identify you.

8.8 No Sale of Personal Data

We do not and will not sell your personal data to third parties for their own marketing purposes. We do not share your personal data with third parties for their direct marketing purposes unless you have explicitly consented to such sharing.

ARTICLE 9: INTERNATIONAL DATA TRANSFERS

9.1 Global Operations

Cipher Knights Ltd is a UK and Nigerian company with global operations. Your personal data may be processed in, transferred to, and stored in countries outside of the United Kingdom and the European Economic Area (EEA), including but not limited to:

• Nigeria (where our parent company is registered and some operations are based).
• The United States (where some of our cloud infrastructure providers and sub-processors are located).
• Other countries where our sub-processors maintain facilities.

9.2 Data Protection Safeguards

Whenever we transfer your personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

• Adequacy Decisions: We will only transfer data to countries that have been deemed to provide an adequate level of protection for personal data by the UK Government or European Commission. These include countries such as Switzerland, Canada, Japan, and others on the adequacy list.
• Standard Contractual Clauses (SCCs): We will use specific contracts approved by the European Commission and UK Information Commissioner's Office which give personal data the same protection it has in Europe when it is transferred to countries without an adequacy decision. These are legally binding commitments requiring the recipient to protect your data.
• International Data Transfer Agreement (IDTA): For transfers from the UK, we may use the IDTA issued by the ICO under Section 119A of the Data Protection Act 2018.
• Binding Corporate Rules (BCRs): In some cases, we or our group companies may rely on BCRs approved by a supervisory authority.
• Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the legal framework and protections in the recipient country and implement supplementary measures where necessary.
• Explicit Consent: In limited circumstances where the above safeguards are not available, we may seek your explicit consent to the specific transfer.

9.3 Specific Transfers and Safeguards

For transfers to the United States, we ensure that our sub-processors are either certified under the UK-US Data Bridge (for transfers from the UK) or the EU-US Data Privacy Framework (for transfers from the EU), or we have executed Standard Contractual Clauses with them and implemented additional technical and organizational measures to ensure an essentially equivalent level of protection.

9.4 Your Rights Regarding International Transfers

By submitting your personal data, you acknowledge that we may transfer, store, and process your data in countries outside your country of residence. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

If you would like further information on the specific mechanism used by us when transferring your personal data out of the UK/EEA, or if you would like a copy of the safeguards we have in place (redacted as necessary to protect confidentiality), please contact us at dpo@cipherknights.com.

ARTICLE 10: DATA SECURITY

10.1 Our Security Measures

We have implemented and maintain appropriate technical and organizational security measures designed to protect your personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are regularly reviewed and updated to reflect technological advancements and evolving threats. Our security measures include:

10.1.1 Technical Security Measures

• Encryption in Transit: All data transmitted between your device and our Platform is encrypted using TLS (Transport Layer Security) 1.2 or 1.3 protocols, ensuring that data cannot be intercepted or read by third parties.
• Encryption at Rest: All personal data stored on our servers is encrypted using AES-256 encryption, meeting industry standards for sensitive data protection.
• Access Controls: Strict role-based access controls (RBAC) and multi-factor authentication (MFA) for all personnel accessing our systems. Access is granted on a least-privilege basis and is regularly reviewed.
• Firewalls and Intrusion Detection: Enterprise-grade firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and block unauthorized access attempts.
• Vulnerability Management: Regular vulnerability scanning and penetration testing conducted by independent third-party security experts. Critical vulnerabilities are prioritized and remediated promptly.
• Secure Development Lifecycle: Our software development follows secure coding practices, including regular code reviews, security testing, and dependency scanning.
• Backup and Disaster Recovery: Regular encrypted backups of all data with tested restoration procedures to ensure business continuity and data availability in the event of an incident.
• Logging and Monitoring: Comprehensive logging of system access and activities, with 24/7 monitoring for suspicious behavior and security incidents.
• Anti-Malware Protection: Enterprise-grade anti-malware and antivirus solutions deployed across all systems.
• Secure Data Centers: Our infrastructure is hosted on secure, ISO 27001 certified cloud platforms with physical security controls including 24/7 surveillance, biometric access controls, and environmental protections.
• API Security: All API endpoints are protected with authentication, rate limiting, and input validation to prevent injection attacks and unauthorized access.

10.1.2 Organizational Security Measures

• Security Policies: Comprehensive information security policies and procedures that are regularly reviewed and updated.
• Employee Background Checks: All Cipher Knights personnel undergo background checks and are subject to confidentiality agreements.
• Security Awareness Training: Regular security awareness training for all employees, including training on data protection, phishing awareness, and secure handling of personal data.
• Incident Response Plan: A documented incident response plan to quickly and effectively respond to any security incidents or data breaches.
• Third-Party Risk Management: All third-party service providers are vetted and contractually required to maintain appropriate security measures.
• Data Protection Impact Assessments (DPIAs): We conduct DPIAs for high-risk processing activities to identify and mitigate privacy risks.
• Regular Audits: Internal and external audits of our security practices and compliance with applicable standards.

10.1.3 Certifications and Compliance

• ISO 27001 Certified: Our information security management system is certified to ISO 27001:2022 standards.
• Cyber Essentials Plus: We are certified under the UK Government's Cyber Essentials Plus scheme.
• SOC 2 Type II: We undergo annual SOC 2 Type II audits for security, availability, and confidentiality.
• GDPR Compliance: We maintain compliance with UK GDPR and EU GDPR requirements.

10.2 Your Responsibilities

The security of your data also depends on you. Where we have given you (or where you have chosen) a password for access to the Platform, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. You are responsible for:

• Maintaining the confidentiality of your account credentials.
• Using strong, unique passwords and not reusing passwords from other services.
• Ensuring that you log out of your account at the end of each session.
• Promptly notifying us of any unauthorized use of your account or any other breach of security.
• Implementing and maintaining security measures on your own systems and networks.
• Ensuring that any devices used to access the Platform are secure and free from malware.

10.3 No Guarantee

Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal data, we cannot guarantee the absolute security of your data transmitted to our Platform; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.

10.4 Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority (e.g., the ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. We will provide information about the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures we are taking to address it.

ARTICLE 11: DATA RETENTION

11.1 Retention Principles

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements, and to defend against potential legal claims.

To determine the appropriate retention period, we consider:

• The amount, nature, and sensitivity of the personal data.
• The potential risk of harm from unauthorized use or disclosure.
• The purposes for which we process it and whether we can achieve those purposes through other means.
• Applicable legal, regulatory, tax, and accounting requirements.
• Industry standards and best practices.
• Any relevant statutes of limitations.

11.2 Specific Retention Periods

The table below sets out our standard retention periods for different categories of personal data:

11.3 Data Deletion and Anonymization

At the end of the applicable retention period, we will take steps to ensure that your personal data is:

• Securely deleted from our active systems and backups (once backups naturally expire).
• Anonymized so that it can no longer be associated with you, for research or statistical purposes.
• Archived in a restricted access system where required for legal purposes (e.g., to defend against claims).

11.4 Termination of Subscription

Upon termination of your subscription, we will provide you with a reasonable period (not less than 30 days) to export your Client Data in a commonly used format (e.g., CSV, JSON). After such period, we may delete all Client Data from our active systems, unless we are required by law to retain it. We are not responsible for any loss of data following termination.

ARTICLE 12: YOUR PRIVACY RIGHTS

Under UK GDPR and other applicable data protection laws, you have certain rights regarding your personal data. If you wish to exercise any of these rights, please contact us using the details in Article 3. We will respond to all legitimate requests within one month (or up to three months for complex requests).

12.1 Your Rights Under UK GDPR

12.1.1 Right to be Informed

You have the right to be provided with clear, transparent, and easily understandable information about how we use your data and your rights. This is why we are providing you with this Privacy Policy. If you require further information, please contact us.

12.1.2 Right of Access (Subject Access Request)

You have the right to obtain confirmation that your data is being processed and access to your personal data (commonly known as a "data subject access request"). This allows you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

To make a subject access request, please submit a written request to dpo@cipherknights.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access the data. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

12.1.3 Right to Rectification

You have the right to have inaccurate or incomplete personal data corrected. You can update much of this information directly through your account settings. If you cannot update the information yourself, please contact us and we will correct it promptly.

12.1.4 Right to Erasure (Right to be Forgotten)

In certain circumstances, you have the right to request the deletion or removal of your personal data where there is no compelling reason for its continued processing. This is not an absolute right and may not apply if we need to retain the data for legal reasons (e.g., HMRC requirements) or to establish, exercise, or defend legal claims.

Circumstances where this right may apply include:

• The personal data is no longer necessary for the purpose we collected it.
• You withdraw your consent and there is no other lawful basis for processing.
• You object to processing based on legitimate interests and we have no overriding legitimate grounds.
• The personal data has been unlawfully processed.
• The personal data must be erased to comply with a legal obligation.

12.1.5 Right to Restrict Processing

You have the right to 'block' or suppress further use of your personal data in certain circumstances. When processing is restricted, we can still store your data but may not use it further. Circumstances where this right may apply include:

• You contest the accuracy of your personal data (and we need time to verify it).
• The processing is unlawful and you oppose erasure and request restriction instead.
• We no longer need the data but you require it to establish, exercise, or defend legal claims.
• You have objected to processing based on legitimate interests (and we need to verify whether our legitimate grounds override your interests).

12.1.6 Right to Data Portability

You have the right, in certain circumstances, to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format (e.g., CSV, JSON) and to request that we transmit that data to another controller. This right applies only to:

• Personal data you have provided to us.
• Where the processing is based on consent or contract.
• Where the processing is carried out by automated means.

12.1.7 Right to Object

You have the right to object to processing based on our legitimate interests (or those of a third party) or for direct marketing purposes.

• Objection to processing based on legitimate interests: If you object, we will stop processing unless we have compelling legitimate grounds that override your interests, or we need to process for legal claims.
• Objection to direct marketing: You have an absolute right to object to direct marketing at any time. You can opt out by clicking the "unsubscribe" link in any marketing email, updating your communication preferences in your account, or contacting us directly.

12.1.8 Rights related to Automated Decision-Making and Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Our fraud detection measures on job applications (e.g., using IP addresses, submission time, and honeypot fields) may involve automated decision-making to flag potentially fraudulent submissions. This may result in automatic rejection or additional verification steps. If you believe you have been adversely affected by such automated decision-making, you have the right to:

• Request human intervention in the decision-making process.
• Express your point of view.
• Contest the decision.

12.1.9 Right to Withdraw Consent

If we are relying on consent to process your personal data (rather than another legal basis), you have the right to withdraw that consent at any time. Withdrawing consent will not affect the lawfulness of processing before the withdrawal.

To withdraw consent, you can:

• Update your communication preferences in your account settings.
• Click the "unsubscribe" link in any marketing email.
• Contact us directly at dpo@cipherknights.com.

12.2 How to Exercise Your Rights

To exercise any of these rights, please submit a request to:

Please provide us with:

• Sufficient information to identify you (e.g., name, email address, company name).
• Proof of your identity (e.g., a copy of your driving license or passport).
• A clear description of the right you wish to exercise and the information your request relates to.

12.3 Timeframe and Fees

We try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights), unless your request is clearly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or refuse to comply.

12.4 Specific Considerations for Staff, Applicant, and Visitor Data

If you are a staff member, applicant, or visitor whose data was provided to us by one of our Clients (your employer or the organisation you are interacting with), please note:

• For such data, our Client is the Data Controller and is primarily responsible for responding to your data subject requests.
• If you make a request to us directly, we will forward it to the relevant Client promptly and assist them in responding as required by law.
• We may need to coordinate with the Client to verify your identity and the validity of your request.

12.5 Right to Complain

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues:

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

ARTICLE 13: CHILDREN'S PRIVACY

13.1 Age Restriction

Our Services are not intended for use by children under the age of 18. We do not knowingly collect personal data from anyone under the age of 18. The Platform is designed for use by organisations to manage their adult workforce and visitors.

13.2 No Intentional Collection

We do not knowingly collect personal data from children under 18. If you are a parent or guardian and you are aware that your child has provided us with personal data without your consent, please contact us immediately at dpo@cipherknights.com.

13.3 Deletion of Child Data

If we become aware that we have collected personal data from a child under 18 without verification of parental consent, we will take steps to delete that information from our servers as soon as reasonably possible. We may retain minimal information to prevent re-registration.

13.4 Exception for Job Applicants

The only exception is where an individual under 18 applies for a position that permits under-18 employment (in accordance with UK employment laws). In such cases, we will collect only the minimum information necessary for the application process and will ensure appropriate safeguards are in place.

ARTICLE 14: COOKIES AND SIMILAR TECHNOLOGIES

14.1 What Are Cookies

Cookies are small text files that are placed on your computer or mobile device by websites that you visit. They are widely used to make websites work more efficiently and to provide information to the owners of the site. Cookies may be "persistent" (remaining on your device until deleted) or "session" (expiring when you close your browser).

14.2 How We Use Cookies

Our Website and Platform use cookies and similar tracking technologies to distinguish you from other users, enhance your experience, analyse usage patterns, and deliver relevant content. We use the following categories of cookies:

14.3 Third-Party Cookies

Some cookies are placed by third parties on our behalf to provide services such as analytics and advertising. These third parties may use information about your visits to this and other websites to provide relevant advertisements about goods and services that you may be interested in. They do not collect personal data that directly identifies you.

14.4 Your Cookie Choices

When you first visit our Website, you will be presented with a cookie banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time by clicking the "Cookie Settings" link in the footer of our Website.

You can also control cookies through your browser settings. Most browsers allow you to:

• See what cookies you have and delete them on an individual basis.
• Block third-party cookies.
• Block cookies from particular sites.
• Block all cookies from being set.
• Delete all cookies when you close your browser.

Please note that if you choose to block or delete cookies, some parts of our Website and Platform may not function properly.

14.5 Do Not Track Signals

Some browsers have "Do Not Track" (DNT) features that allow you to tell websites that you do not want to be tracked. We currently do not respond to DNT signals because no uniform standard for responding to such signals has been adopted. We will continue to monitor developments in this area.

14.6 Cookie Policy

For more detailed information about the cookies we use and how to manage them, please see our separate Cookie Policy.

ARTICLE 15: CHANGES TO THIS PRIVACY POLICY

15.1 Right to Modify

We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes we make.

15.2 Notification of Changes

• Minor Changes: For minor changes (e.g., clarifications, typographical corrections), we will post an updated version on our Website with a revised "Last Updated" date. The updated version will be effective as soon as it is accessible.
• Material Changes: For material changes that significantly affect your rights or how we use your personal data, we will provide a more prominent notice, such as sending an email notification to the primary email address associated with your account or displaying a prominent notice within the Platform at least 30 days before the changes take effect.

15.3 What Constitutes a Material Change

Material changes may include, but are not limited to:

• Changes to the purposes for which we process your personal data.
• Changes to the types of personal data we collect.
• Changes to who we share your personal data with.
• Changes to our data retention practices.
• Changes to your rights under this Privacy Policy.
• Changes resulting from new legal requirements.

15.4 Your Acceptance of Changes

By continuing to access or use our Services after any changes to this Privacy Policy become effective, you acknowledge and agree to be bound by the revised Privacy Policy. If you do not agree to the changes, you must stop using the Services and, if you are a Client, you may terminate your subscription in accordance with our Terms of Service.

15.5 Historical Versions

Previous versions of this Privacy Policy are available upon request. Please contact our DPO at dpo@cipherknights.com if you would like a copy of a previous version.