GDPR Compliance

1. Our GDPR Role

When you use CyberGuardian, we act in two capacities:

• Data Controller — for account data, billing, and website analytics
• Data Processor — for security telemetry processed on behalf of your organization

A Data Processing Agreement (DPA) is available upon request for enterprise customers. Contact: privacy@cyberguardian.io

2. Lawful Basis for Processing

• Article 6(1)(b) — Contract: Processing your account and license data to deliver the service
• Article 6(1)(c) — Legal obligation: NIS2 Article 23 incident reporting to CSIRT/NCA
• Article 6(1)(f) — Legitimate interests: Security threat detection and platform improvement
• Article 6(1)(a) — Consent: Marketing emails (opt-in only, withdrawable at any time)

3. Data Minimization

We collect only the data necessary to deliver the CyberGuardian service. Security telemetry is processed locally on your endpoint — only anonymized, aggregated threat intelligence is shared externally. No personal end-user data from your monitored endpoints is transmitted to our servers.

4. Data Transfers

All data is stored and processed within the European Economic Area (EEA). Our infrastructure provider (Railway) operates EU-region data centers. We do not transfer personal data to third countries without appropriate safeguards.

5. Data Subject Rights

Under GDPR Articles 15-22, you have the following rights regarding your personal data:

• Right of access (Art. 15) — obtain a copy of your personal data within 30 days
• Right to rectification (Art. 16) — correct inaccurate or incomplete data
• Right to erasure (Art. 17) — request deletion ("right to be forgotten")
• Right to restriction (Art. 18) — limit how we process your data
• Right to portability (Art. 20) — receive your data in JSON or CSV format
• Right to object (Art. 21) — object to processing based on legitimate interests
• Rights re: automated decisions (Art. 22) — we do not make solely automated decisions with legal effects on individuals

Submit requests to: privacy@cyberguardian.io. Response within 30 days, free of charge.

6. Security Measures (Art. 32)

• All data encrypted in transit using TLS 1.3
• All data encrypted at rest using AES-256
• Access controls and role-based permissions on all systems
• Regular penetration testing aligned with MITRE ATT&CK
• NIS2 Article 21 security controls implemented and documented
• Incident response procedures per NIS2 Article 23

7. Data Breach Notification (Art. 33-34)

In the event of a personal data breach:

• We will notify the Bulgarian CPDP within 72 hours of becoming aware
• We will notify affected individuals without undue delay if the breach poses a high risk
• Enterprise customers will be notified immediately as part of our incident response

8. Data Retention

• Account data: subscription period + 2 years
• Security telemetry: 30–365 days (configurable by you)
• NIS2 audit logs: minimum 5 years (legal requirement)
• Financial records: 7 years (Bulgarian Accounting Act)
• Backup copies: deleted within 90 days of primary deletion

9. NIS2 and GDPR Intersection

CyberGuardian is uniquely positioned at the intersection of GDPR and NIS2 compliance. Our 15-module NIS2 compliance suite helps you document the technical and organizational measures required under both regulations. The Audit Evidence Vault generates evidence exportable in ENISA JSON format for regulatory submissions.

10. Supervisory Authority

You have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP):

• Website: www.cpdp.bg
• Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria
• Email: kzld@cpdp.bg

11. Contact Our DPO

Data Protection Officer: privacy@cyberguardian.io

CyberGuardian Security EOOD, Sofia, Bulgaria