GDPR Compliance

1. Our Commitment to GDPR

Security Brigade InfoSec Private Limited ("Security Brigade") is committed to complying with the EU General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018. Although our registered office is in Mumbai, India, we process personal data of EU and UK data subjects through our UK office and through our engagements with clients operating in the European Economic Area. We have therefore implemented a GDPR compliance programme that applies across all our operations.

This page provides EU and UK data subjects with specific information about how their personal data is processed and the rights available to them under the GDPR.

2. Our Roles: Controller and Processor

Security Brigade acts in two distinct capacities depending on the context:

• Data Controller: When we collect personal data directly from website visitors, prospective clients, and business contacts (e.g., through our website forms, email communications, or events), we determine the purpose and means of processing and act as the data controller.
• Data Processor: When we perform security assessments (penetration testing, vulnerability assessments, red team exercises) on our clients' systems, we may encounter personal data stored within those systems. In this capacity, we process data solely on behalf of and under the instructions of the client (the data controller). Processing is governed by a Data Processing Agreement (DPA) executed as part of the engagement.

We do not use any personal data encountered during security assessments for our own purposes. Such data is accessed only to the extent necessary to perform the agreed testing activities and is treated as the client's Confidential Information.

3. Legal Bases for Processing (Art. 6 GDPR)

When acting as a data controller, we rely on the following legal bases:

• Performance of a Contract (Art. 6(1)(b)): We process personal data of our clients and their authorised representatives as necessary to perform our contractual obligations, including scoping, executing, and reporting on security assessments, and providing access to our Lemon platform.
• Legitimate Interests (Art. 6(1)(f)): We process personal data for direct marketing to enterprise prospects, website analytics, fraud prevention, and improving our services. We have conducted Legitimate Interest Assessments (LIAs) for each of these processing activities and maintain records of these assessments. You may object to this processing at any time (see Section 5).
• Consent (Art. 6(1)(a)): Where required, we obtain explicit, informed, and freely given consent for specific processing activities, such as subscribing to our newsletters or threat intelligence alerts. Consent is obtained through clear affirmative actions and can be withdrawn at any time by contacting privacy@securitybrigade.com or using the unsubscribe mechanism in any marketing email.
• Legal Obligation (Art. 6(1)(c)): We process personal data where necessary to comply with legal obligations, including tax reporting, corporate filings, and regulatory reporting requirements.

4. Data We Process About EU/UK Data Subjects

In our capacity as data controller, we typically process the following categories of personal data relating to EU/UK data subjects:

• Business contact details: name, job title, company, email address, telephone number.
• Communication records: emails, meeting notes, and proposal discussions.
• Engagement records: SOWs, invoices, and service delivery data.
• Lemon platform account data: username, hashed credentials, session logs, and activity data.
• Website usage data: IP address, browser type, pages visited, and referral source.

We do not intentionally process special categories of personal data (Art. 9 GDPR) such as health data, biometric data, or data concerning political opinions. If such data is incidentally encountered during a security assessment, it is not extracted, recorded, or used by us in any way.

5. Data Subject Rights

Under the GDPR, you have the following rights in respect of your personal data. These rights are not absolute and may be subject to exemptions under applicable law:

• Right of Access (Art. 15): You have the right to obtain confirmation as to whether we process your personal data and, where we do, to receive a copy of the data along with information about the processing (purposes, categories of data, recipients, retention periods, and the source of data not collected from you).
• Right to Rectification (Art. 16): You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, or where you object to processing and there are no overriding legitimate grounds.
• Right to Restriction of Processing (Art. 18): You may request that we restrict processing in specific circumstances, such as while we verify the accuracy of contested data or assess whether our legitimate interests override your objection.
• Right to Data Portability (Art. 20): Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to Object (Art. 21): You may object at any time to processing based on legitimate interests (including profiling) or to processing for direct marketing purposes. Upon objection to direct marketing, we will cease processing immediately.
• Rights Related to Automated Decision-Making (Art. 22): We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you. If this changes, we will update this page and provide appropriate safeguards.

To exercise any of these rights, please contact our Data Protection Officer at privacy@securitybrigade.com. We will verify your identity before processing your request and will respond within one calendar month. Where requests are complex or numerous, we may extend this period by two additional months, notifying you of the extension and reasons within the initial month.

If we are acting as a data processor on behalf of your organisation, we will redirect your request to the data controller (our client), as required by Art. 28(3)(e).

6. Data Protection Officer

Security Brigade has appointed a Data Protection Officer (DPO) who can be contacted for all matters relating to the processing of personal data and the exercise of data subject rights:

Data Protection Officer
Security Brigade InfoSec Private Limited
Email: privacy@securitybrigade.com
Response time: Within 5 business days

7. International Data Transfers

Personal data of EU/UK data subjects may be transferred to and processed in India, the United States, and Singapore, where Security Brigade operates offices. India, the US, and Singapore are not currently subject to an adequacy decision by the European Commission under Art. 45 GDPR.

To provide appropriate safeguards for such transfers in accordance with Art. 46 GDPR, we implement the following mechanisms:

• Standard Contractual Clauses (SCCs): We execute the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for transfers from the EEA to third countries. Separate module combinations are used depending on whether we act as controller-to-controller or controller-to-processor.
• UK International Data Transfer Agreement (IDTA): For transfers of UK personal data, we use the IDTA or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner's Office.
• Transfer Impact Assessments (TIAs): Consistent with the Schrems II judgment (Case C-311/18), we conduct Transfer Impact Assessments to evaluate the legal framework and surveillance practices of the receiving country and implement supplementary technical measures where necessary.
• Supplementary Measures: We implement technical safeguards including end-to-end encryption, pseudonymisation where feasible, and strict access controls to mitigate any risks identified in TIAs.

Copies of the applicable SCCs and TIA summaries are available upon request from our DPO.

8. Data Processing Agreements

Where Security Brigade acts as a data processor on behalf of EU/UK clients, we enter into Data Processing Agreements (DPAs) that comply with Art. 28 GDPR. Our standard DPA includes:

• Clear description of subject matter, duration, nature, and purpose of processing.
• Obligation to process data only on documented instructions from the controller.
• Confidentiality obligations binding all personnel with access to the data.
• Implementation of appropriate technical and organisational security measures (Art. 32).
• Restrictions on sub-processing, with prior written consent requirements and equivalent contractual obligations on sub-processors.
• Assistance with data subject rights, data breach notifications, DPIAs, and prior consultation with supervisory authorities.
• Data deletion or return obligations upon completion of the engagement.
• Right to audit and inspect compliance.

We can execute our standard DPA or accept client-provided DPAs. Contact privacy@securitybrigade.com to request our template.

9. Data Breach Notification

In the event of a personal data breach (as defined in Art. 4(12) GDPR) involving EU/UK personal data, Security Brigade will:

• As a data processor: notify the data controller (our client) without undue delay and no later than 48 hours after becoming aware of the breach, providing all information necessary for the controller to fulfil its obligations under Art. 33 and Art. 34 GDPR.
• As a data controller: notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of natural persons (Art. 33). Where the breach is likely to result in a high risk, we will additionally notify affected data subjects without undue delay (Art. 34).

Breach notifications include: the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach and mitigate adverse effects.

10. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) in accordance with Art. 35 GDPR prior to initiating any processing activity that is likely to result in a high risk to the rights and freedoms of data subjects. This includes assessments of new service offerings, changes to the Lemon platform that alter data processing characteristics, and new categories of client engagements. DPIA records are maintained and made available to supervisory authorities upon request.

11. Retention and Erasure

We retain personal data of EU/UK data subjects only for as long as necessary for the stated purpose or as required by applicable law. Our standard retention periods are detailed in our Privacy Policy. Upon expiry of the retention period, personal data is securely erased or anonymised in accordance with our data destruction procedures.

12. Right to Lodge a Complaint

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement (Art. 77 GDPR). For UK data subjects, complaints may be filed with the Information Commissioner's Office (ICO) at ico.org.uk.

We encourage you to contact us first at privacy@securitybrigade.com so that we can address your concern before formal regulatory action.

13. Contact for GDPR Queries

Data Protection Officer
Security Brigade InfoSec Private Limited
Email: privacy@securitybrigade.com

UK Office Contact:
Email: uk.sales@securitybrigade.com