Skip to main content

Legal

Privacy Policy

Last updated: March 2026

1. Introduction

Security Brigade InfoSec Private Limited ("Security Brigade", "we", "us", or "our"), a company incorporated under the laws of India with its registered office in Mumbai, Maharashtra, is committed to protecting the privacy and security of personal data entrusted to us by our clients, website visitors, and other stakeholders. As a CERT-In empanelled cybersecurity firm, we hold ourselves to the highest standards of data stewardship.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal data when you visit our website (securitybrigade.com), engage our services, or interact with us in any capacity. This policy applies to all our offices in India, the United Kingdom, the United States, and Singapore.

By accessing our website or engaging our services, you acknowledge that you have read and understood this Privacy Policy. Where we act as a data processor on behalf of our clients during security assessments, the client's own privacy policy governs the processing of their end-user data.

2. Data Controller Information

For the purposes of the EU General Data Protection Regulation (GDPR), India's Digital Personal Data Protection Act, 2023 (DPDP Act), and other applicable data protection legislation, the data controller is:

Security Brigade InfoSec Private Limited
Registered Office: Mumbai, Maharashtra, India
CIN: Available upon request
Email: privacy@securitybrigade.com
Data Protection Officer: privacy@securitybrigade.com

3. Categories of Personal Data We Collect

We collect and process the following categories of personal data:

  • Contact and Identity Data: Name, email address, phone number, job title, company name, and postal address provided through our contact forms, sales enquiries, or service engagements.
  • Account and Authentication Data: Login credentials for our Lemon assessment platform, including usernames and hashed passwords. We never store passwords in plaintext.
  • Technical and Usage Data: IP address, browser type and version, operating system, referral source, pages viewed, session duration, and other analytics data collected via server logs and cookies.
  • Engagement and Contractual Data: Statements of work, proposals, NDA records, invoicing details, and communication records related to our service delivery.
  • Security Assessment Data: During the course of penetration testing, vulnerability assessments, and related engagements, we may encounter or process personal data residing in client systems. Such data is processed strictly as a data processor under the client's instructions and is governed by the applicable engagement agreement and NDA.
  • Career Application Data: CVs, cover letters, professional qualifications, and references submitted through our careers page or direct applications.

4. Legal Bases for Processing

We process personal data on the following legal grounds:

  • Contractual Necessity (Art. 6(1)(b) GDPR / Sec. 4 DPDP Act): Processing required to perform our contractual obligations, including delivering security assessments and providing access to the Lemon platform.
  • Legitimate Interests (Art. 6(1)(f) GDPR): Processing for our legitimate business interests, such as improving our services, marketing our offerings to enterprise prospects, fraud prevention, and network security. We conduct balancing tests to ensure these interests do not override your fundamental rights.
  • Consent (Art. 6(1)(a) GDPR / Sec. 6 DPDP Act): Where we rely on consent, such as for marketing communications or non-essential cookies, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Legal Obligation (Art. 6(1)(c) GDPR / Sec. 4(2) DPDP Act): Processing necessary to comply with Indian tax laws, CERT-In reporting obligations, and other statutory requirements.

5. How We Use Your Data

We use personal data for the following purposes:

  • Delivering and managing security assessment engagements, including scoping, testing, reporting, and remediation validation.
  • Providing and maintaining access to our Lemon AI-powered assessment platform.
  • Responding to enquiries, providing quotes, and communicating about our services.
  • Sending relevant industry updates, threat intelligence alerts, and service notifications (with consent where required).
  • Analysing website usage patterns to improve user experience and content relevance.
  • Fulfilling legal, regulatory, and compliance obligations, including CERT-In reporting.
  • Protecting the security and integrity of our systems, networks, and client data.

6. Cookies and Tracking Technologies

Our website uses cookies and similar technologies. We categorise these as:

  • Strictly Necessary Cookies: Required for the website to function, including session management and security tokens. These cannot be disabled.
  • Analytics Cookies: Used to understand how visitors interact with our website. We use privacy-respecting analytics that do not create individual user profiles.
  • Functional Cookies: Enable enhanced functionality such as remembering your preferences and form entries.

We do not use third-party advertising trackers. You can manage your cookie preferences through your browser settings. For EU visitors, non-essential cookies are loaded only after you provide affirmative consent.

7. Data Sharing and Third-Party Disclosure

We do not sell personal data. We may share personal data with the following categories of recipients, subject to appropriate contractual safeguards:

  • Group Entities: Our offices in India, UK, US, and Singapore for operational coordination and service delivery.
  • Technology Service Providers: Cloud hosting providers, email delivery services, and CRM platforms that assist in our operations, each bound by data processing agreements.
  • Professional Advisors: Legal counsel, auditors, and insurers where necessary for professional advice or regulatory compliance.
  • Regulatory and Law Enforcement Authorities: Where required by applicable law, court order, or regulation, including CERT-In under the Information Technology Act, 2000.
  • Channel Partners: Where you have been referred by or are engaging through one of our authorised channel partners, limited contact information may be shared for coordination purposes.

8. International Data Transfers

Given our global operations, personal data may be transferred between our offices in India, the United Kingdom, the United States, and Singapore. For transfers of data originating in the European Economic Area (EEA) or the United Kingdom to countries not recognised as providing an adequate level of data protection, we implement appropriate safeguards, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • The UK International Data Transfer Agreement or Addendum, as applicable.
  • Supplementary technical and organisational measures including encryption in transit and at rest.

Under the DPDP Act, cross-border transfers from India are permitted to all jurisdictions except those specifically restricted by the Central Government. We monitor the Government's restricted jurisdiction notifications and comply accordingly.

9. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:

  • Client engagement records: 7 years from the date of last engagement, as required under Indian tax and company law.
  • Security assessment reports and vulnerability data: Retained for the duration specified in the engagement agreement, typically 12 months post-delivery, unless the client requests earlier deletion.
  • Website analytics data: Aggregated data retained indefinitely; individual-level data purged after 26 months.
  • Marketing consent records: Retained for the duration of your consent plus 3 years to demonstrate compliance.
  • Career applications: Retained for 2 years from submission unless you request earlier deletion.

10. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

  • Right of Access: Obtain confirmation of whether we process your personal data and request a copy thereof.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of personal data where there is no compelling reason for continued processing.
  • Right to Restriction: Request restriction of processing in certain circumstances.
  • Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
  • Right to Lodge a Complaint: Lodge a complaint with a supervisory authority (see Section 12).

Under India's DPDP Act, 2023, Data Principals have the right to access, correction, erasure, and grievance redressal. Please see our dedicated DPDP Compliance page for details.

To exercise any of these rights, contact us at privacy@securitybrigade.com. We will respond within 30 days (or within the timeframes mandated by applicable law).

11. Security of Personal Data

As a cybersecurity firm, we implement industry-leading technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These include encryption at rest and in transit (AES-256 and TLS 1.2+), role-based access control, multi-factor authentication, regular penetration testing of our own infrastructure, and comprehensive audit logging. For more details, please see our Security Policy.

12. Supervisory Authorities and Complaints

If you are unsatisfied with how we handle your personal data, you have the right to lodge a complaint with the relevant supervisory authority:

  • India: The Data Protection Board of India, once constituted under the DPDP Act, 2023.
  • EU/EEA: Your local Data Protection Authority (DPA) under the GDPR.
  • United Kingdom: The Information Commissioner's Office (ICO).
  • Singapore: The Personal Data Protection Commission (PDPC).

We encourage you to contact us at privacy@securitybrigade.com before filing a formal complaint so that we may address your concerns directly.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technologies, legal requirements, or regulatory guidance. Material changes will be communicated by posting the updated policy on this page with a revised "Last updated" date. Where changes are significant, we will make reasonable efforts to notify affected individuals directly.

14. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:

Data Protection Officer
Security Brigade InfoSec Private Limited
Email: privacy@securitybrigade.com

Regional Sales Contacts:
India: in.sales@securitybrigade.com
United Kingdom: uk.sales@securitybrigade.com
United States: us.sales@securitybrigade.com
Asia-Pacific: apac.sales@securitybrigade.com