Fox-IT - Privacy Notice
We respect your privacy
We encourage you to read this Privacy Notice so that you are fully informed about the processing of your personal data and how we comply with privacy legislation such as the General Data Protection Regulation (“GDPR”).
If you do not live in the European Economic Area (EEA), additional privacy requirements may apply, such as the California Consumer Privacy Act (CCPA) in the United States, the UK GDPR in the United Kingdom, and other local laws and regulations. We take these regulations into account to ensure the protection of personal data regardless of the user's location.
Fox-IT respects your right to privacy and takes measures to protect your privacy. In this Privacy Notice, we explain who we are, how we collect, share and use personal data about you and how you can exercise your rights. This Privacy Notice applies to personal data we collect through our website at www.fox-it.com ("Website") and in the course of providing our services ("Services"). For a current overview of our Services, please visit our Website. For more information on how we process personal data of job applicants, please see the Candidate Privacy Notice.
If you have any questions or concerns about our use of your personal information, please contact us using the contact information under the heading "How to Contact Us" below.
Fox-IT is an expert in cybersecurity and risk mitigation. It is headquartered in Delft at Olof Palmestraat 6, 2616 LM Delft. Fox-IT is part of NCC Group, headquartered in Manchester, England at 2 Hardman Boulevard Spinningfields, M3 3AQ. Our services focus on keeping our clients and society safe by providing cybersecurity services. Examples include forensic investigations, advanced threat intelligence services and consulting. For more information on these services, visit our Website.
Fox-IT provides various cybersecurity services. For some services, Fox-IT is a processor under the GDPR. For more information please refer to the Sub-processor page on our Website. For other services, Fox-IT is a controller under the GDPR. We carefully determine the methodology used and implement appropriate security measures to protect your personal data. Fox-IT may act as controller in the performance of the following services:
Fox-IT: Consultancy & Implementations (EU)
We provide cybersecurity consulting services to our clients. We guide our clients to a more secure digital future by sharing in-depth knowledge, helping to set priorities, and providing high-quality cybersecurity services. This includes delivering Training & Awareness campaigns, for which we collect personal data from our clients.
Fox-IT: Digital Forensics & Incident Response (EU)
We conduct cyber incident investigations and provide incident response services to our clients. We also conduct investigations that are aimed at one or more individuals. As part of such investigations, personal data may be collected from our customers, third parties or from public sources.
For that purpose, Fox-IT is licensed by the Dutch Ministry of Justice and Security to conduct private investigations. We process personal data to the extent permitted by law in accordance with the Dutch Private Security Organizations and Criminal Investigation Agencies Act (“Wbpr”), the Dutch Private Security Organisations and Investigation Agencies Regulations (“Rbpr”), the Dutch Private Security Organizations and Criminal Investigation Agencies Policy Rules and the (Privacy) Code of Conduct for the Private Investigation Agencies Sector ("PPO"). We inform investigation subjects based on the principles of the PPO, unless an exception applies under applicable privacy laws. This means that we ensure clear and timely communication regarding the processing of personal data, including the purposes, legal basis and any data sharing. In doing so, we follow applicable privacy laws and the standards and guidelines set forth in the Code of Conduct. In cases where full disclosure is not possible, we make a careful assessment based on legal and ethical considerations.
Fox-IT: Global Threat Intelligence (GTI) EU
We provide threat intelligence services in which we enable our clients to identify and monitor potential cyber threats in a timely manner. As part of these services, we process personal data obtained from our customers, third parties or public sources.
Fox-IT: Technical Assurances Services (TAS) EU
We offer our customers the ability to simulate cyber-attacks or hacks to test the security level of their systems. Examples include performing red teaming-assignments. As part of these services, we process personal data obtained from our customers, third parties or public sources
In the performance of certain services - including Digital Forensics and Incident Response, Threat Intelligence and Technical Assurances Services - the nature and purposes of the services, whether or not in conjunction with the specific circumstances of an assignment, may mean that Fox-IT cannot provide you with all information about the processing of your personal data. This is the case (i) if it does not prove possible for Fox-IT to inform you, for example if it is factually impossible to inform you, (ii) if it requires a disproportionate effort on Fox-IT's part to inform you, (iii) if the provision of information results in the purposes of processing personal data becoming impossible or being seriously jeopardized by the provision of that information or (iv) if there is a compelling interest, including the prevention of criminal offences or protecting the rights and freedoms of others.
The personal data we collect from you, directly or indirectly, depends on how you interact with us and with our website. We collect personal data about you from the following different sources:
Information you provide directly
We collect personal information directly from you when you choose to provide it to us online and through your other interactions with us (such as information you share with us through contacting us by phone, email, completing surveys). Certain areas of our Website ask you to provide personal data when you complete the web form, such as for our newsletter, event participation, or contact request.
Information we collect indirectly
We collect your personal data indirectly, including through automated means from your device when you visit our Website or when you visit our office through cameras, communication data. Some of the data we collect indirectly is captured using cookies, as further explained in our Cookie Statement .
Third party information
We also collect your personal data from third parties necessary and as appropriate in the context of providing the services. Third parties include in particular our customers to whom we provide our services and from whom we may obtain personal data in connection therewith and service providers who provide operational support, email, marketing and analysis services. Fox-IT may verify, if and to the extent reasonably expected by Fox-IT, that the third party either has your consent or is otherwise permitted or required to provide us with your personal data.
In general, we will only use the personal data we collect from you for the purposes described in this Privacy Notice or for purposes we explain to you at the time we collect your personal data. We may also use your personal data for other purposes that are compatible with the purposes we have disclosed to you (such as archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes) if and where permitted by applicable data protection law. You may request further information on the compatibility of other purposes upon request.
The table below describes the categories of personal information we collect from and about you as part of our services. We may combine this information with other information in our systems to further develop our products and services (to the extent permitted by law).
|
Personal data |
Source |
|
Customer and (business) contact information such as your first and last name, (business) email address, phone number, address information, (digital) signature, job-related information and other customer and contact information |
|
|
Billing information such as your billing address, transaction statements, address information, bank information. Please refer to the Privacy Notice of your payment service provider for more information on how they process personal data. |
|
|
Communication data such as your feedback about our services and other communications with us (including when you contact our customer service), questions you ask, survey participation, chat, email or conversation history with us or with third-party service providers. This includes information about how you contact customer service and the communication channel you use or the information you send to us. |
|
|
Security data collected in our office premises for security purposes including CCTV data and location data within our office to protect our property and assets, employees, customers, vendors and visitors. |
|
|
Usage data Website such as data about activity and interaction with https://www.fox-it.com/ , information that we capture using cookies and similar technologies (see the "Cookie Statement"). This may include page views and searches, login information, clicks, operating system, information about content viewed, duration of visits to certain pages, duration of Website use, and other functional information about Website performance, your location (e.g., diagnostic and crash log information). |
|
|
Technical data when we provide our Services to our customers. This data comes from third parties or public sources. Examples include your IP address, URL, file MAC address, IMEI address, username, time of access, access rights, your operating system, geographic data, information from public sources and other technical data we collect in the course of providing our Services. |
|
|
Investigative data is data that may or may not emerge “on the side” in the course of our services, for example, to understand and mitigate cyber threats, such as in an open source investigation or as part of a forensic copy that must not be compromised as part of the integrity of the data ("chain of custody"). Examples of investigative data may include your e-mail address, access rights, financial data or special personal data that may emerge from the investigative material. |
|
We use the personal data we collect from and about you only for the purposes described in this Privacy Notice or for purposes we explain to you at the time we collect your data. Depending on our purpose for collecting your personal data, we rely on one of the following legal bases :
Consent - in certain circumstances, we may seek your consent (separate from any agreement between us) before collecting, using or disclosing your personal information, in which case you may voluntarily choose to give or withhold your consent without negative consequences to you;
Agreement - we process (business) personal data when necessary for the performance of an agreement to which you are a party. This includes processing data to provide products or services, fulfill contractual obligations or answer questions directly related to the agreement. Processing of personal data on this basis is strictly limited to what is necessary to effectively perform and manage the agreement.
Legal obligation - we may need to process and retain your personal data to comply with the law or to fulfil certain legal obligations
Legitimate interest - we will use or disclose your personal data for the legitimate interests of either Fox-IT or the (compatible) derivative legitimate interests of a third party, such as our customers, but only when we are satisfied that your rights will be adequately protected. If we invoke our legitimate interests (or those of a third party), these interests will normally include: operating, offering and improving our products and services; detecting or preventing illegal activities (e.g. fraud); and/or managing the security of our IT infrastructure and the safety and security of our employees, customers, vendors and visitors; communicating with you and answering your questions; improving our Website or using the insights to improve or further develop our marketing activities. When we need your information to pursue our legitimate interests or the legitimate interests of a third party, we do so in a manner you would reasonably expect, as part of Fox-IT's services. In addition, we do so in a manner that does not materially interfere with your rights and freedoms. To obtain further information about how we assess our legitimate interests, please refer to "How to contact us" below
The following table provides more information on our purposes for processing your personal data and the corresponding legal bases. The legal basis on which your personal data are processed depends on the personal data in question and the specific context in which we use them.
|
Purpose |
Type of personal data |
Basis for processing, including basis of legitimate interest |
|
Providing and improving our services to clients. |
Customer and contact information Communications data Technical data Research data
|
|
|
Processing billing data, including delivery of quotes and electronic receipts.
|
Customer and contact information Communications data Billing information Transaction Data |
|
|
Communications and related administration about our services, service updates, confirmations, invoices, technical notices, updates, security alerts, support and administrator messages and related questions, requests or complaints. |
Customer and contact information Billing information Communications data Technical data Website usage data
|
|
|
To keep our business, including our Website, our premises and our employees, customers, visitors safe and address threats to their safety or the safety of others; to detect and prevent fraud.
|
Customer and contact information Billing information Website usage data Security data Communications data
|
|
|
To operate and maintain our Website and our IT systems (including monitoring, troubleshooting, data analysis, testing, system maintenance, repair and support, reporting and data hosting). |
Customer and contact information Technical data Website usage data |
|
|
Comply with legal obligations to which we are subject, including our obligations to respond to your requests under data protection laws.
|
Customer and contact information Billing information Website Usage Data Communications data Technical data Research data |
|
|
Protect our legal rights (including, where necessary, sharing information with regulators and others), for example, to defend claims against us and in legal proceedings to defend our interests. |
Customer and contact information Billing information Technical data Security data Website usage data Communications data Research data |
|
We share your personal data with the following categories of recipients:
- our group companies (please also see our Affliliate page), which includes Fox-IT. In order to provide the global service, personal data may be processed by various entities and locations of NCC Group, which provide data processing services necessary to provide you with our services (for example, in the context of providing cybersecurity services to our customers; ensuring the functionality of our services or helping to improve the security of our customers' internal systems), or who otherwise process personal data for purposes described in this Privacy Notice. Our group companies, to which we transfer your personal data, are all active in cybersecurity and risk mitigation.
- external service providers and partners who provide us with data processing services necessary to provide you with our cybersecurity services, to support the delivery of our Website, provide functionality or help improve its security; or who otherwise process personal data for purposes described in this Privacy Notice. Please also see our Third party processor page for an overview of the most common third-party service providers that we engage to process your personal data, the categories of services they provide and the types of personal data they receive to provide those services to us.
- other partners and distributors with whom we work on an occasional basis to provide and resell our cybersecurity services;
- a competent regulator, government agency, court or other third party (such as our professional advisors) when we believe disclosure is necessary (i) under applicable law or regulation , (ii) to exercise, establish or defend our legal rights or so that a third party may defend its own, or (iii) to protect your vital interests or those of another person;
- a purchaser (and its agents and/or advisers) in connection with an actual or proposed acquisition, merger or takeover of part of our business, provided that we inform the purchaser that it may use your personal data only for the purposes set forth in this Privacy Notice; or
- another person with your consent to the disclosure (separate from any agreement between us).
We use appropriate technical and organizational measures to protect the personal data we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of the processing. Fox-IT is ISO 27001 and ISO 9001 certified. We also have independent audits performed that test the adequacy of our information security and quality management systems. The ISO 27001 certificate includes a Statement of Applicability that includes all audits. We can provide more information upon request, see "How to contact us" at the bottom of this Privacy Notice.
Personal data transfers to our Group companies
Fox-IT is part of NCC Group. Our primary servers are located in the Netherlands. In order to provide our services worldwide, in some cases we transfer your personal data another NCC Group company and such personal data is processed in countries other than the country in which you live. These countries may have data protection laws that differ from the laws in your country (and in some cases offer less protection). An overview of our Group companies can be found here.
Personal data transfers to third parties
In some cases we transfer your personal data to third parties, such as external service providers and partners. They operate all over the world. This means that when we collect your personal data, we will process it in each of these countries depending on the type of service purchased by our customers. An overview of our Third party processors can be found here.
When we transfer your personal data to countries or organizations outside the European Economic Area, which are formally recognized as providing an adequate level of protection for personal data, we rely on the relevant "adequacy decisions" of the European Commission. We transfer Customer and Contact Data, Billing Data, Communications Data, Security Data, Website Usage Data, Technical Data and Research Data from the European Economic Area (EEA) to United Kingdom and United States based on these adequacy decisions. For the United Kingdom, you can access the adequacy decision here. You can find the adequacy decision for transfers between the EEA and the United States here.
Where we cannot use an adequacy decision we have implemented appropriate safeguards to ensure that your personal data remains protected in accordance with this Privacy Notice and applicable law. The safeguards we use to transfer personal data are, in the case of both our group companies and external service providers and partners, the model provisions of the European Commission as issued on June 4, 2021 under Article 46, paragraph 2 of the GDPR using Modules I, II, III and IV of the Model Provisions for controller to controller, for controller to processor.
We can provide you with our model clauses entered into with our group companies, external service providers and partners upon request. Please note that certain confidential commercial information will be removed from the model clauses.
For more information, please also see the section "Whom we share your personal data with".
We do not retain personal data longer than necessary for the purposes for which it was collected, unless a longer retention period is required or permitted by law. Retention periods are established based on legal obligations, contractual agreements and our legitimate interests.
Below is an overview of the main categories of personal data and the corresponding retention periods:
|
Category of personal data |
Retention period |
Basis |
|
Customer information (name, contact information, billing information) |
Maximum 10 years after termination of customer relationship |
Tax and administrative obligations (e.g., tax laws) |
|
Marketing data (newsletter subscriptions, leads) |
Until withdrawal of consent or max. 2 years after last contact |
Consent or legitimate interest (offering similar services) |
|
Application details (resume, cover letter) |
Maximum 4 weeks after rejection, or 1 year with consent |
Consent or legitimate interest (recruitment purposes) |
|
Security - and access records |
Maximum 6 months (camera surveillance 1-3 months). These deadlines may be extended in the event of a security incident. |
Legitimate interest (security) |
|
Forensic investigation material in case of Digital Forensics & Incident Response |
These deadlines may be extended in case of ongoing legal proceedings or criminal investigations. |
Consent or (derived) legitimate interest (detection or prevention of illegal activities, security) |
|
Investigation material for Red Team assignments |
|
Consent or (derived) legitimate interest (detection or prevention of illegal activities, security) |
|
Other research data |
Variable, depending on legal deadlines and research purpose |
Legal obligation or consent |
After the expiration of the retention period, the data is securely deleted or anonymized so that it is no longer traceable to an individual.
For specific questions about retention periods, please contact us via the information under "How to contact us".
Individuals in the EEA have the following data protection rights. If you wish to exercise any of these rights, please refer to the specific instructions below or contact us using the contact details under the heading "How to contact us".
You have the to access your personal data and you can have your personal data rectified (corrected) or request deletion of your personal data
You can object to the processing of your personal data, ask us to restrict the processing of your personal data or request the portability of your personal data (i.e. transfer your data in a readable and standardized format).
If we have collected and processed your personal data with your consent, you may withdraw your consent at any time by using the contact details under the heading "How to contact us". Withdrawing your consent will not affect the lawfulness of the processing we have carried out prior to your withdrawal, nor the processing of your personal data on any lawful grounds other than consent
You have the right to complain to a regulator about our collection and use of your personal data. Please contact your local regulator for more information. Contact details for regulators in Europe can be found here. With certain regulators, you must go through our internal complaints procedure before they will consider your complaint. If you have a complaint about how we handle your personal data, contact us via the information under "How to contact us".
We respond to all requests we receive from individuals seeking to exercise their data protection rights in accordance with applicable data protection laws.
We may make changes to this Privacy Notice due to legislative and regulatory developments or in our business and related technologies. If we update our Privacy Notice, we will take appropriate steps to notify you, in reasonable proportion to the changes we make
You can see when this Privacy Notice was last updated by checking the "last updated" date displayed at the top of this Privacy Notice.
If you have any questions or concerns about our use of your personal information, please contact us at the following address:
Fox-IT B.V.
Olof Palmestraat 6,
2616 LM Delft
Netherlands
You can contact our Group Data Protection Officer at the following email address: dataprotection@nccgroup.com, or by sending a letter to the above address for the attention of the Data Protection & Governance team.
If you are a Fox-IT customer yourself, you can also obtain more information about data processing through your local contact/account manager.
Please visit our Cookie Statement for information on how the Website uses cookie