GDPR

Cyver Core is fully GDPR compliant

Cyver strives to meet the highest standards for security and data privacy, while meeting the needs and expectations of our clients and customers.

Data Processing Agreement (DPA)

A Data Processing Agreement is a legally binding contract that outlines how personal data is handled by Cyver and Cyver Core, and by any subprocessors we use in connection with providing our services, including services such as email, web hosting, storage, analytics, and customer support. This page provides an overview of our approach to data processing and data protection.

You can find a full list of our subprocessors on our Sub-Processors page. If you need a signed DPA, you can submit a request through our data request form.

Our Data Protection Officer

If you have questions about our data protection practices, or would like to exercise your rights under the GDPR, please contact our Data Protection Officer at:
[email protected]

What is the GDPR?

The General Data Protection Regulation (GDPR) is a European law designed to protect personal data in a digital society. It governs how, why, and when data may be collected and used, and sets out the technical and organisational safeguards organisations must implement, as well as penalties for non-compliance.

Adopted in 2016 and enforceable since May 2018, the GDPR applies to any organisation that processes, controls, or stores personal data about individuals in the European Union. Following Brexit, the UK GDPR applies similar standards in the United Kingdom. Cyver and its subprocessors are subject to these requirements whenever personal data is processed in connection with our services.

Cyver’s Responsibilities Under the GDPR

Where Cyver processes personal data on behalf of customers in connection with Cyver Core, Cyver acts as a data processor and the customer remains the data controller.

Cyver is committed to the core principles of the GDPR and maintains an information security program supported by independent audits, including a SOC 2 Type II report covering relevant security controls. We commit to the following principles:

  • Lawfulness, fairness, and transparency: We process personal data on an appropriate legal basis and in a way that is clear and fair.
  • Purpose limitation: Data is collected for specific, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
  • Data minimisation: We only collect the data necessary to fulfil the stated purposes.
  • Accuracy: We take reasonable steps to ensure data is accurate and kept up to date where necessary.
  • Storage limitation: We do not retain data longer than necessary, in line with our retention policies and legal obligations.
  • Integrity and confidentiality: We implement appropriate technical and organisational measures to protect data against unauthorised or unlawful processing, accidental loss, destruction, or damage.
  • Documentation and compliance: We maintain records of processing activities and review our controls and processes on a regular basis.
  • Third-party processors: We ensure that any subprocessors engaged in connection with our services are subject to appropriate privacy and security requirements.

International Data Transfers

Under the GDPR and UK GDPR, Cyver does not transfer personal data outside the European Economic Area, the United Kingdom, or Switzerland unless an appropriate legal transfer mechanism applies.

  • Adequacy decisions: The destination country has been recognised by the European Commission or the UK Information Commissioner’s Office as providing an adequate level of data protection.
  • Appropriate safeguards: Where no adequacy decision applies, Cyver relies on the European Commission’s Standard Contractual Clauses (SCCs) and, where required, the UK International Data Transfer Addendum.

Cyver does not rely on the now-invalidated EU-US Privacy Shield as a transfer mechanism.

What Is Personal Data?

Personal data means any information relating to an identified or identifiable natural person. This may include identifiers such as names and email addresses, as well as IP addresses, device identifiers, location data, online identifiers, or any information that could reasonably be used to identify an individual.

Your Rights Under the GDPR

Under the GDPR, you have the right to:

  • Access: Request a copy of any personal data that Cyver stores about you.
  • Rectification: Request correction of inaccurate or incomplete personal data.
  • Erasure: Request deletion of your personal data where there is no legal reason for us to retain it.
  • Restriction of processing: Request that we temporarily limit the processing of your personal data in certain circumstances.
  • Data portability: Request a copy of your personal data in a structured, commonly used, machine-readable format, or request that it be transferred to another controller where applicable.

To exercise any of these rights, please contact our Data Protection Officer at [email protected]. We will respond within the timeframe required by applicable law.