Privacy Policy

1. General

Seraforce AG (hereinafter "Seraforce", "we", "us") is a leading and independent Swiss company for comprehensive cyber security and penetration testing. Information and data protection is one of our core competencies - accordingly, the protection of your data is important to us. In this data protection declaration, we inform you comprehensively about our handling of your personal data, among other things, as our website and event visitor, applicant, and newsletter subscriber. We explain your rights in connection with the processing of personal data in our company. The processing of personal data of our employees, customers and clients outside our websites is regulated exclusively within the framework of our employee and management contracts.

A. Scope

This privacy policy applies to all processing activities related to personal data:

Visiting our website
Contact form
Mail contact
Cookies

Depending on the data processing, in addition to the applicable Swiss law (Federal Act on Data Protection (FADP) of 19 June 1992, SR 235.1), European data protection law (Regulation (EU) 2016/679 (GDPR)) may also or exclusively apply.

B. Responsibility

Responsible for the handling of personal data on our website is:
Seraforce AG
Goliathgasse 25
9000 St. Gallen
Email: imprint@seraforce.com

C. Contact details of the Swiss supervisory authorities

Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter
Feldeggweg 1
3003 Bern
Tel. +41 58 462 43 95

2. Processing activities

Depending on your relationship with us, we process different personal data about you for different purposes and on different legal bases.

A. Visiting our website

Data processing

When you access our website, the browser used on your device automatically sends information to the server of our website. This information is temporarily stored in a so-called log file.

The data is processed by HubSpot Inc, Headquarters 25 First Street, 2nd Floor Cambridge, MA 02141 USA ("HubSpot"). Further details can be found in the HubSpot privacy policy at https://legal.hubspot.com/de/privacy-policy.

Personal data

The following information is collected without your intervention and stored until automatic deletion:

IP address of the requesting computer
Date and time of access
Name and URL of the accessed URL
Website or source from which the access is made (referrer URL, social media channel, e-mail, etc.)
Browser type and version as well as other information transmitted by the browser, such as the operating system of your computer, your device type, your geographical origin, language setting, etc.

Purpose

The said data are processed for the following purposes:

Ensuring a smooth connection of the website
Ensuring a comfortable use of our website
Evaluation of system security and stability

Under no circumstances do we use the data collected to draw conclusions about your person or to create user profiles with the help of this data.

Legal basis

The legal basis for this data processing lies in our private interest pursuant to Art. 13 para. 1 FADP and Art. 6 para. 1, p. 1 lit. f GDPR respectively.

Necessity

This information is necessary for the functioning of the website.

Retention period

After your session has expired, the session cookies are deleted.

B. Contact form

Data processing

We offer a contact form for general, product- or service-specific quotation requests and resource downloads (white papers, etc.), as well as for access to event recordings.

Personal data

The following information must be provided:

Name
E-mail address
Company
Telephone (voluntary)
Message
Date, time and type of consent

Purpose

The said data will be processed for the following purposes:

Answering your enquiry
Contacting you about general topics and service

Legal basis

This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with Art. 13 para. 2 lit. a FADP or Art. 6 para. 1, p. 1 lit. b GDPR.

Necessity

This information is necessary for making contact.

Retention period

The data stored for the purpose of contacting you will be saved by us until you unsubscribe from further email communication. Once you have unsubscribed, it will be deleted from our servers and from HubSpot's servers. Data stored by us for other purposes (e.g. email addresses for events or newsletter registrations, etc.) remain unaffected by this.

C. Mail contact

Data processing

You have the option of contacting us at the e-mail addresses provided below: imprint@seraforce.com

Personal data

The following data will be processed from you:

E-mail address
IP address

Purpose

The said data will be processed in order to respond to your request.

Legal basis

This data processing is carried out on the basis of contractual or pre-contractual measures in accordance with Art. 13 para. 2 lit. a FADP or Art. 6 para. 1, p. 1 lit. b GDPR.

Necessity

This information is necessary for making contact.

Retention period

The emails are automatically deleted after 2 years.

D. Matomo Tracking

Datenbearbeitung

We are using self-hosted tracking by Matomo.
No cookies are being used for tracking purposes.

Personendaten

Personal data is being anonymized before it is saved.

Zweck

The use of Matomo serves to statistically record the use of our website and to evaluate it for the purpose of optimization and user-friendliness.

Legal basis

The legal basis for this data processing lies in our private interest pursuant to Art. 13 para. 1 FADP and Art. 6 para. 1, p. 1 lit. f GDPR respectively.

Opt Out

E. Cookies

Data processing

We use cookies on our website. These are small files that are automatically created by your browser and stored on your end device (laptop, tablet, smartphone, etc.) when you visit our site.
We use the following cookies:

technically necessary: language (saves current language)
technically necessary: mtm_consent_removed (saves tracking opt out, not used for tracking itsself)

Personal data

A cookie does not necessarily mean that we can identify you.

Purpose

The use of cookies serves to statistically record the use of our website and to evaluate it for the purpose of optimization and user-friendliness.

Legal basis

We process technically necessary cookies based on our overriding private interest. We only process cookies that are not technically necessary if you have given your consent voluntarily in accordance with Art. 13 Para. 1 FADP or Art. 6 Para. 1, S. 1 lit. a GDPR.

Necessity

In the default setting of most internet browsers, cookies are accepted automatically. If you do not wish to store cookies from our websites on your device, you can configure your browser settings so that you receive a warning before certain cookies are stored.

Please note that the partial or complete deactivation of cookies may mean that you cannot use all the functions of our websites.

Retention period

Cookies have different retention periods.

If they are cookies from third-party manufacturers, we have no influence on the retention period. A distinction is made between session cookies, which are deleted after a session, and permanent cookies, which can also be stored for different lengths of time beyond the session.

3. Disclosure of data to third parties

Data processing

Your personal data will not be transferred to third parties for purposes other than those listed or to contractors other than those listed and their subcontractors.

Third parties are technology providers for the optimal operation of the websites and social media presences as well as for the provision of the services listed above.

4. Cross-border disclosure to third countries without adequate level of data protection

Data processing

No data is disclosed to third countries without an adequate level of data protection or only under the contractual obligation to comply with a sufficient level of data protection (e.g. EU standard clauses).

Personal data is only transferred to third countries if the data protection requirements of Art. 6 FADP or Art. 44 et seq. GDPR are met.

A third country is defined as a country outside of Switzerland or the European Economic Area (EEA) in which the Swiss FADP or the European GDPR is not directly applicable. A third country is considered unsafe if, according to the FDPIC or the EU Commission, the country does not have an adequate level of data protection.

With the ECJ ruling of 16 July 2020 (C-311/18), the adequacy decision for the USA was declared invalid. The FDPIC has also revoked the USA's adequacy. The USA is therefore a so-called insecure third country.

When personal data is transferred to the USA, there is a risk that US authorities can gain access to the personal data. Swiss citizens have no effective legal protection against such access in the USA.

In this data protection information, we inform you when and how we transfer personal data to the USA or other unsecure third countries.

5. Data security

Data processing

We take appropriate measures to ensure that your personal data cannot be accessed or stolen by third parties without authorisation. In particular, through appropriate technical (e.g. firewall, password protection, SSL encryption, etc.) and organisational (e.g. restriction of authorised persons, training of authorised persons, etc.) measures, we ensure that only authorised persons have access to this data. Our data processing and security measures are continuously improved in line with technological developments.

Personal data

Personal data is any information relating to an identified or identifiable natural person, including name, address, telephone number or email or IP address.

Purpose

We use SSL encryption for security reasons and to protect the transmission of confidential content, such as enquiries that you send to us as the site operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

If SSL encryption is activated, the data you transmit to us cannot be read by third parties.

6. Data retention

Data processing

We retain personal data for as long as we consider necessary or appropriate to comply with applicable laws or as long as it is necessary for the purposes for which it was collected.

We delete your personal data as soon as it is no longer required and in any case after expiry of the legally prescribed maximum retention period of five or ten years. Data that is no longer necessary and for which there is no legal obligation to retain it will be destroyed once the purpose and justification no longer apply.

Personal data

In detail, we retain your data for the following period:

We retain data that we process by law for the statutory retention period, for example if required by labour law, social security law, tax law or the Business Records Ordinance;
We retain data that we need for the performance of a contract for at least the duration of the contract and for a maximum of 10 years thereafter, unless we need the data to enforce our rights;
We retain data that we process to protect our legitimate interests for a maximum of ten years after the end of the contractual relationship, unless we need the data to assert our rights;
If you are not hired, your application documents will be deleted or returned to you after a maximum of 2 years.

7. Your rights

As a potentially affected person, you can assert various claims against us in accordance with the applicable national and international law.

In order to fulfil these claims, we may process your personal data again.

Depending on the applicable law, data subjects may exercise the following rights:

To request information about their personal data processed by us. In particular, information pursuant to Art. 8 FDPA or Art. 15 GDPR may contain information:
- about the purposes of processing
- the category of personal data
- the categories of recipients to whom your data has been or will be disclosed
- the planned storage period
- the existence of a right to rectification, erasure, restriction of processing or objection
- the existence of a right of appeal
- the origin of your data, if it has not been collected by us
- the existence of automated decision-making, including profiling, and, if applicable, meaningful information on the details thereof
Immediately request the correction of inaccurate or incomplete personal data stored by us (Art. 5 para. 2 FADP or Art. 16 GDPR).
To request the restriction of the processing of your personal data, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you refuse its deletion and we no longer require the data, but you need it for the assertion, exercise or defence of legal claims or you have objected to the processing in accordance with Art. 21 GDPR (Art. 15 FADP or Art. 18 GDPR).
To receive your personal data that you have provided to us in a structured, common and machine-readable format or to request that it be transferred to another controller (Art. 20 GDPR).
request the deletion of your personal data stored by us, unless processing is necessary to exercise the right to freedom of expression and information, to comply with a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims (Art. 15 FADP or Art. 17 GDPR).
You may revoke your consent at any time. This means that we may no longer process the data based on this consent in the future (Art. 4 FADP or Art. 7 Para. 3 GDPR).
You may object to the processing if your personal data are processed on the basis of legitimate interests pursuant to Art. 6 (1), p. 1 lit. f GDPR (Art. 21 GDPR) and if there are grounds for doing so that arise from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right of objection, which is implemented by us without specifying a particular situation.
complain to a supervisory authority (see above) (Art. 77 GDPR).

8. Up-to-dateness and amendment of this privacy policy

We reserve the right to change this privacy policy at any time or to adapt it to new processing methods. The current data protection declaration can be accessed at any time at https://www.seraforce.com/privacy.