Privacy Policy
Effective Date: February 1, 2025
Last Updated: February 1, 2025
1. Introduction
Rezilienz is committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, use our services, or interact with us. As a cybersecurity company specializing in Security Operations Center (SOC) services across the Americas, Caribbean, and Asia-Pacific regions, we understand the critical importance of data protection and privacy.
This policy applies to all individuals and organizations that interact with Rezilienz, including website visitors, clients, partners, and service users. We operate in compliance with the privacy laws of the jurisdictions where we conduct business, including the Dutch Caribbean territories (Curaçao, Aruba, Bonaire, Sint Maarten), the European Union's General Data Protection Regulation (GDPR), New Zealand's Privacy Act 2020, and India's Digital Personal Data Protection Act 2023 (DPDPA).
2. Information We Collect
2.1 Personal Information You Provide
We collect information that you voluntarily provide to us when you interact with our services. This includes your contact information such as name, email address, phone number, business address, job title, and company name. When you create an account with us, we collect account credentials including your username and encrypted password, along with your account preferences and settings. For business purposes, we gather company details, industry sector information, organizational structure, and your specific business requirements.
Your communications with us, whether through email, chat messages, support tickets, or other correspondence, are collected and retained. When you request our security services, we collect details about the services you need, incident reports you submit, and information related to consultation requests. Payment information including your billing address and payment method details are processed securely through third-party payment processors who handle the actual payment card data. We may also collect professional information such as LinkedIn profile data when voluntarily shared, professional certifications, and business references that help us understand your needs and provide appropriate services.
2.2 Information Automatically Collected
When you access our website or use our services, we automatically collect certain technical information. This includes device information such as your IP address, browser type and version, operating system, and device identifiers. We track usage data including the pages you visit, time spent on those pages, navigation paths through our site, click-stream data, and referral sources that brought you to our website. Technical data such as log files, access times, error reports, and performance metrics are collected to maintain and improve our systems. We determine general geographic location based on your IP address at the country or region level to provide localized services and comply with regional requirements.
2.3 Information from Third Parties
We may receive information from our business partners including joint venture partners in New Zealand and the Asia-Pacific region, referral partners, and authorized resellers who recommend our services. Service providers such as analytics platforms, marketing systems, and customer relationship management tools may provide us with information about your interactions with our services. We also gather publicly available business information from professional networks like LinkedIn and industry directories. For service delivery purposes only, we may receive security intelligence data from threat intelligence feeds and security databases that help us protect your systems.
2.4 Security Monitoring Data
In providing our SOC services through our security monitoring systems, we collect and process specific types of technical data. This includes network traffic metadata, connection logs, and traffic patterns, though we do not inspect the content of your communications. We collect security event data such as alerts, incidents, vulnerabilities, and threat indicators that are essential for protecting your systems. System logs from applications, security tools, and audit trails help us maintain comprehensive security oversight. Endpoint data from security agents, configuration information, and compliance status monitoring ensure your systems remain protected. This client security data is processed solely for service delivery and is subject to separate contractual agreements and strict confidentiality obligations.
3. Legal Basis for Processing
3.1 General Principles
We process personal information only when we have a lawful basis to do so. The legal grounds for our processing vary depending on the jurisdiction and the specific purpose of processing. We are transparent about our legal basis for each processing activity and ensure that all processing is fair, lawful, and necessary for the stated purposes.
3.2 Under GDPR (European Economic Area, UK, Switzerland)
For individuals in the European Economic Area, United Kingdom, and Switzerland, we rely on several legal bases for processing personal data. We process data when it is necessary to perform our contract with you or your organization, such as when delivering SOC and cybersecurity services, managing client accounts and subscriptions, processing payments and billing, and providing customer support and technical assistance.
We also process data based on our legitimate business interests, which include operating and improving our website, conducting marketing and business development activities, preventing fraud and maintaining security, performing internal analytics and research, and ensuring network and information security. These legitimate interests are balanced against your rights and freedoms, and we implement appropriate safeguards to protect your data.
Processing is also performed when necessary to comply with legal obligations, including tax and accounting requirements, regulatory compliance with financial services regulations in Caribbean jurisdictions, responding to legal proceedings and government requests, and maintaining industry-specific security requirements under ISO 27001 and SOC 2 frameworks.
Where required by law, we obtain your explicit consent for specific processing activities such as marketing communications, non-essential cookies, sharing information with third parties for marketing purposes, or processing any special categories of personal data. You may withdraw your consent at any time without affecting the lawfulness of processing conducted prior to withdrawal.
3.3 Under New Zealand Privacy Act 2020
Our processing activities in New Zealand comply with the thirteen Information Privacy Principles established under the Privacy Act 2020. We collect personal information only when it is necessary for a lawful purpose connected with our functions or activities, and we collect it by lawful and fair means. When collecting information, we ensure that you are aware of the purpose of collection, intended recipients, whether providing the information is voluntary or required, and the consequences of not providing the information. We also inform you of your rights under the Privacy Act and how to access and correct your information.
3.4 Under India's Digital Personal Data Protection Act 2023
For processing personal data of individuals in India, we comply with the Digital Personal Data Protection Act 2023 and the associated DPDP Rules 2025. We obtain clear and informed consent from data principals before processing their personal data, except where processing is permitted for certain legitimate uses under the Act. Our consent requests are accompanied by a privacy notice that describes the personal data to be collected, the purpose of processing, and how individuals can exercise their rights under the DPDPA.
We ensure that data processing is limited to what is necessary for the specified purpose, maintain accuracy of personal data, implement appropriate security safeguards, and delete personal data when it is no longer needed for the lawful purpose or when consent is withdrawn. Where we are designated as a Significant Data Fiduciary, we comply with additional obligations including appointing a Data Protection Officer based in India, conducting independent audits, and performing data protection impact assessments.
4. How We Use Your Information
We use the information we collect for several clearly defined purposes, always in accordance with applicable privacy laws and the legal bases described above. For service delivery, we utilize your information to provide comprehensive SOC services including SIEM/XDR monitoring, attack surface management, and data loss prevention. This includes incident detection, response, and remediation activities, security assessments and vulnerability management, threat intelligence and security analytics, and virtual Chief Information Security Officer (vCISO) advisory services that help you maintain a strong security posture.
For business operations, we use your information to create and manage user accounts, process transactions and payments, maintain customer relationships, communicate about services, updates, and incidents, and provide technical support and troubleshooting when you need assistance. We implement this information for security and compliance purposes, protecting against fraud, unauthorized access, and security threats, conducting security audits and assessments, maintaining our ISO 27001 and SOC 2 compliance certifications, investigating incidents and performing forensic analysis when necessary, and ensuring business continuity and disaster recovery capabilities.
Your information helps us conduct analytics and improvements by analyzing service performance and effectiveness, enhancing our security platforms and monitoring systems, developing new features and services based on user needs, conducting research and statistical analysis to improve cybersecurity outcomes, and performing benchmarking and industry analysis that benefits our entire client base. We use your information for marketing and communications purposes, including sending service updates and security advisories, marketing our services where appropriate consent has been obtained, managing events, webinars, and training opportunities, conducting customer satisfaction surveys, and building strong business relationships with our clients and partners.
Finally, we process your information for legal and regulatory compliance, responding to legal requests and court orders, enforcing our terms and conditions, protecting our legal rights and interests, and resolving disputes that may arise in the course of our business relationship.
5. Data Sharing and Disclosure
We share information only as necessary for the purposes described in this policy and always with appropriate safeguards. We do not sell personal information to third parties. We engage trusted service providers who process data on our behalf, including technology platform providers for our SIEM/XDR services, attack surface management, and data loss prevention. Cloud infrastructure providers including Amazon Web Services and Microsoft Azure host and process data as part of our service delivery. We use analytics services, marketing automation platforms, communication tools, email service providers, and customer relationship management systems to maintain our business operations. Payment processors handle secure payment gateways and merchant services, while professional services firms provide legal, accounting, and audit support. All service providers are contractually bound to protect data and use it only for the specific purposes we authorize.
We share information with our business partners when necessary for service delivery. This includes our joint venture partner in New Zealand for Asia-Pacific expansion activities, authorized referral partners who introduce clients to our services, and cyber emergency response partners such as Northwave who provide incident response services when activated. We also collaborate with technology partners and security vendors whose solutions are integral to our service delivery.
We disclose information when required by law or when necessary to comply with legal processes, court orders, or government requests, enforce our rights and contracts, protect the safety and security of our services and users, prevent fraud, security threats, or illegal activities, and comply with regulatory requirements in Curaçao and other jurisdictions where we operate. In the event of a merger, acquisition, reorganization, or sale of assets, personal information may be transferred to the acquiring entity. We will notify affected individuals and ensure continued protection of their data throughout any such transition.
We may share information with third parties when you provide explicit consent for specific purposes beyond those described in this policy, ensuring that you maintain control over your personal information at all times.
6. International Data Transfers
Rezilienz operates globally across the Americas, Caribbean, and Asia-Pacific regions, which means that personal data may be transferred to and processed in countries outside your country of residence. We transfer personal data to Curaçao where our headquarters are located, to New Zealand where we conduct Asia-Pacific operations through our joint venture partnership, to the United States where certain technology platform providers are based, and to the European Union where some business partners and service providers operate.
6.1 Transfer Safeguards for GDPR
For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland, we implement appropriate safeguards to ensure adequate protection. We use Standard Contractual Clauses approved by the European Commission, which are model contracts that provide appropriate data protection guarantees. Where possible, we transfer data to countries that have received an adequacy decision from the European Commission, recognizing that these jurisdictions provide a level of data protection essentially equivalent to the GDPR. We maintain Binding Corporate Rules for intra-group transfers, which are internal data protection policies that ensure consistent protection across our organization. In some cases, we rely on your explicit consent for specific transfers, or we transfer data when necessary for contract performance or legal compliance.
6.2 Transfer Safeguards for New Zealand Privacy Act
When transferring personal data from New Zealand to other countries, we ensure that we comply with the Privacy Act 2020's requirements for cross-border data transfers. We conduct due diligence on third-party vendors who will store or process personal information outside New Zealand, ensuring they maintain appropriate security and privacy standards. We include contractual provisions in our agreements with overseas agents and processors that require them to protect personal information in a manner consistent with New Zealand's privacy principles.
6.3 Transfer Safeguards for India DPDPA
For transfers of personal data outside India, we comply with the Digital Personal Data Protection Act's requirements. We do not transfer personal data to countries that are blacklisted by the Indian government, and we ensure that all international transfers are subject to appropriate contractual safeguards. When we are designated as a Significant Data Fiduciary processing sensitive categories of data, we comply with any data localization requirements specified by the government, ensuring that certain data remains within Indian jurisdiction as required.
7. Data Security
As a cybersecurity company specializing in security operations, we implement industry-leading security measures to protect your information. Our commitment to security is demonstrated through our ISO 27001 certification and SOC 2 Type II compliance, which involve regular audits of our security controls and practices.
We employ comprehensive technical safeguards to protect your data. All data is encrypted in transit using TLS 1.3 protocols and at rest using AES-256 encryption standards. We implement strict access controls including multi-factor authentication, role-based access control, and privileged access management to ensure that only authorized personnel can access sensitive information. Our network security measures include firewalls, intrusion detection and prevention systems, and network segmentation that isolates critical systems. We provide continuous twenty-four hour, seven day per week, three hundred sixty-five day per year SOC monitoring using SIEM correlation and real-time threat detection to identify and respond to security incidents. Our vulnerability management program includes regular security scanning, penetration testing, and timely patch management to address identified vulnerabilities. We follow secure development practices including security-by-design principles, code reviews, and security testing throughout our development lifecycle.
Our organizational safeguards are equally robust. We maintain comprehensive information security policies and procedures that guide all aspects of our operations. All employees receive regular security awareness and privacy training to ensure they understand their responsibilities. We conduct background checks for employees who have access to sensitive data. We have documented incident response and breach notification procedures that ensure rapid and effective response to any security events. We implement data minimization practices, collecting and retaining only the data necessary for our stated purposes. We conduct regular internal and external security audits to verify the effectiveness of our controls and identify areas for improvement.
In the unlikely event of a data breach that affects personal information, we have established procedures to investigate and contain the breach promptly, notify affected individuals within seventy-two hours as required by GDPR and as appropriate under other applicable laws, notify relevant supervisory authorities and data protection boards as required, provide detailed information about the breach, affected data, and remedial measures we are implementing, and take comprehensive steps to prevent future occurrences. Our commitment to transparency ensures that you will be informed promptly if your data is affected by any security incident.
8. Data Retention
We retain personal information only as long as necessary for the purposes described in this policy or as required by applicable law. Our retention periods are designed to balance our business needs, legal obligations, and your privacy rights. Client data is retained for the duration of our service relationship plus seven years thereafter to meet audit and legal requirements. Security event data is retained for thirteen months to enable effective threat analysis and compliance reporting. Financial records are maintained for seven years in accordance with regulatory requirements. Marketing data is retained until consent is withdrawn or for three years following the last interaction, whichever comes first. Website analytics data is kept for twenty-six months. Support tickets and related communications are retained for five years to ensure we can address any recurring issues effectively. Contract documents are preserved for ten years after contract termination to comply with legal and audit requirements.
After retention periods expire, we securely delete or anonymize personal information using industry-standard methods. Anonymized data that cannot be linked back to individuals may be retained indefinitely for statistical analysis and research purposes that benefit our services and the broader cybersecurity community. In certain circumstances, we may retain data beyond normal retention periods when required for legal proceedings, investigations, or regulatory requirements, but we will do so only to the extent necessary and will protect such data with appropriate safeguards.
9. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to enhance user experience, maintain website functionality, and analyze website performance. We provide you with clear information about the cookies we use and give you control over non-essential cookies.
Strictly necessary cookies are essential for the website to function properly and do not require your consent. These include session management and authentication cookies that keep you logged in, security and fraud prevention cookies that protect our website and your data, and cookies that enable basic website functionality such as language preferences and secure form submissions.
We use performance and analytics cookies, which do require your consent, to understand how visitors interact with our website. Google Analytics helps us analyze website traffic patterns, monitor performance, and identify areas for improvement. These cookies collect information about page visits, time spent on pages, and navigation patterns. We also use error tracking cookies to identify and resolve technical issues that affect user experience.
Functional cookies, which also require consent, remember your choices and preferences to provide enhanced features. These include language and region preference cookies, user interface customization options, and cookies that remember your settings across visits.
Marketing cookies are used with your consent to measure the effectiveness of our marketing campaigns. We use LinkedIn Insight Tag for conversion tracking and remarketing purposes. We may also use cookies for targeted advertising to reach audiences interested in cybersecurity services.
You can control cookies through several methods. Most web browsers allow you to refuse or delete cookies through browser settings. Our website provides a cookie consent tool where you can manage your preferences for different categories of cookies. You can also use opt-out links provided by specific services to control their use of your data. Please note that disabling certain cookies may affect website functionality and your user experience. Third-party services embedded in our website, such as Google Analytics, LinkedIn Insight Tag, and YouTube videos, may set their own cookies governed by their respective privacy policies.
10. Your Privacy Rights
The privacy rights available to you depend on your location and the applicable privacy laws. We are committed to honoring these rights and providing you with the means to exercise them effectively.
10.1 Rights Under GDPR (EEA, UK, Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have comprehensive rights under the GDPR. You have the right to access your personal data and receive copies of the information we hold about you. You can request that we correct any inaccurate or incomplete data. You have the right to request erasure of your data, also known as the right to be forgotten, although this right is subject to certain limitations when we have legitimate grounds to retain the information. You can request that we restrict how we process your data in certain circumstances. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. You can object to processing based on legitimate interests or for direct marketing purposes. You have the right to withdraw consent for any processing based on consent, without affecting the lawfulness of processing conducted before withdrawal. You also have the right to lodge a complaint with a supervisory authority in your country if you believe we have violated your data protection rights.
10.2 Rights Under New Zealand Privacy Act 2020
Under the Privacy Act 2020, you have the right to request access to the personal information we hold about you and to receive that information in a readily accessible form. You can request correction of any inaccurate, out-of-date, incomplete, or misleading personal information. While the Act does not provide an explicit right to erasure, you can request deletion of your information in certain circumstances, and we will consider such requests in accordance with our legal obligations. You have the right to complain to the Office of the Privacy Commissioner if you believe we have violated your privacy rights.
10.3 Rights Under India DPDPA 2023
Under the Digital Personal Data Protection Act 2023, data principals in India have specific rights regarding their personal data. You have the right to access your personal data and receive information about how it has been processed. You can request correction of inaccurate or misleading personal data and request completion of incomplete data. You have the right to erasure of your personal data or to restrict its processing in certain circumstances. You can nominate another person to exercise these rights on your behalf. Where processing is based on consent, you have the right to withdraw that consent at any time through the same ease as the consent was given. You have the right to complain to the Data Protection Board of India if you believe we have violated your rights under the DPDPA.
10.4 Exercising Your Rights
To exercise any of your privacy rights, you can contact us through multiple channels. You may email us at privacy@rezilienz.com with details of your request, send written correspondence to our Data Protection Officer at our Curaçao office address, or use the privacy request form available on our website. When you submit a request, please provide sufficient information to allow us to verify your identity and locate your data in our systems. We will respond to your request within the timeframe required by applicable law: within thirty days for GDPR requests, within twenty business days for New Zealand Privacy Act requests, and in accordance with DPDPA requirements for requests from India.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects about you. Any decisions that might affect you are made with appropriate human review and oversight.
11. Children's Privacy
Our services are designed for businesses and are not directed to individuals under eighteen years of age. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected data from a child without appropriate parental or guardian consent as required by applicable law, we will delete that information promptly. Parents or guardians who believe we may have collected information from their child should contact us immediately at privacy@rezilienz.com so we can take appropriate action.
12. Third-Party Links
Our website may contain links to third-party websites, services, or applications that are not operated by Rezilienz. We are not responsible for the privacy practices of these third parties. These third-party sites have their own privacy policies that govern how they collect, use, and protect your information. We encourage you to review the privacy policies of any third-party sites you visit before providing any personal information to them. The inclusion of any link does not imply our endorsement of the third-party site or service.
13. Changes to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, services, technologies, legal requirements, or other operational, legal, or regulatory reasons. When we make changes, we will post the updated policy on our website with a new "Last Updated" date at the top of the document. For material changes that significantly affect how we handle your personal information, we will provide additional notice through prominent website notification, email communication to registered users and clients, or other appropriate means. Where required by applicable law, we will obtain your consent before implementing material changes that affect how we process your personal information.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our services after any changes to this Privacy Policy constitutes your acceptance of those changes. If you do not agree with any changes, you should discontinue use of our services and contact us to discuss your options.
14. Data Protection Officer and Contact Information
We have designated a Data Protection Officer who oversees our privacy compliance program and serves as the primary point of contact for privacy-related matters. Our Data Protection Officer can be reached at dpo@rezilienz.com for any questions about how we process personal data, requests to exercise your privacy rights, concerns about our privacy practices, or inquiries about compliance with data protection laws.
For general privacy inquiries, you can contact us at privacy@rezilienz.com. For security incidents or concerns, please contact our security team at security@rezilienz.com or call our twenty-four hour SOC emergency line at [emergency number]. For all other business matters, you can reach us at info@rezilienz.com.
Our business address is:
Rezilienz
Dokweg 19
Curaçao
For inquiries from specific regions, we have established the following contacts: For Caribbean operations, please contact our Curaçao office. For Asia-Pacific operations, please contact our New Zealand joint venture partner office. For European inquiries, please contact our Data Protection Officer who coordinates with our EU representative as necessary.
15. Supervisory Authorities
15.1 European Economic Area, UK, and Switzerland
If you are located in the EEA, UK, or Switzerland and believe we have violated your data protection rights, you have the right to lodge a complaint with the supervisory authority in your country. For EU member states, contact your national data protection authority. For the United Kingdom, you can contact the Information Commissioner's Office at https://ico.org.uk. For Switzerland, contact the Federal Data Protection and Information Commissioner.
15.2 New Zealand
If you are in New Zealand and have concerns about how we handle your personal information, you can contact the Office of the Privacy Commissioner at https://privacy.org.nz or by calling 0800 803 909.
15.3 India
If you are in India and wish to file a complaint about our data protection practices, you can contact the Data Protection Board of India. Contact details for the Board will be made available once the Board is fully established under the DPDPA.
16. Jurisdiction-Specific Information
16.1 Dutch Caribbean (Curaçao, Aruba, Bonaire, Sint Maarten)
As a company headquartered in Curaçao, we comply with the privacy and data protection laws applicable in the Dutch Caribbean territories. We are subject to supervision by local regulatory authorities and comply with any sector-specific requirements that apply to our operations, particularly those related to financial services organizations and critical infrastructure protection.
16.2 European Union and United Kingdom
For individuals in the EU and UK, we act as a data controller for the processing of your personal data. Where required, we have appointed or will appoint an EU and UK representative. We are registered with relevant data protection authorities as required by local law. Our processing of EU and UK personal data is governed by the GDPR and UK GDPR respectively.
16.3 New Zealand
For individuals in New Zealand, we comply with the Privacy Act 2020 and the thirteen Information Privacy Principles. We have established procedures to handle privacy requests, manage notifiable privacy breaches, and ensure that any overseas transfers of personal information comply with New Zealand's requirements for cross-border data flows.
16.4 India
For individuals in India, we comply with the Digital Personal Data Protection Act 2023 and the Digital Personal Data Protection Rules 2025. We process personal data only with appropriate consent or other lawful basis as permitted under the DPDPA. Where we are designated as a Significant Data Fiduciary, we comply with enhanced obligations including maintaining a Data Protection Officer based in India and conducting regular audits and impact assessments.
________________________________________________________________________________
Document Control:
Version: 2.0
Effective Date: February 1, 2025
Next Review: August 1, 2025
Owner: Data Protection Officer
Classification: Public