We at CloudSoul S.à r.l. (“CloudSoul,” “we,” “us,” or “our”) respect your privacy and are strongly committed to keeping secure any information we obtain from you or about you. This Privacy Policy describes our practices with respect to Personal Data we collect from or about you when you visit our website, contact us, or use the CloudSoul Platform, the Security Report, and any related software, applications, and services (collectively, the “Services”).

CloudSoul is a Luxembourg-headquartered, EU-operated platform for security operations and compliance. Our registered office is at 9 Rue du Laboratoire, L-1911 Luxembourg, Grand Duchy of Luxembourg (RCS Luxembourg B288476, VAT LU35952049).

1. Our role: controller and processor

CloudSoul acts in two distinct roles depending on the data concerned:

  • Controller: For Personal Data we collect about you when you visit our website, create an account, communicate with us, register for events, or otherwise interact with us as a current or prospective customer (for example: account credentials, billing information, marketing preferences, support communications), CloudSoul determines the purposes and means of processing and is the data controller.
  • Processor: When we operate the Services on behalf of a customer organisation and process Personal Data contained in that customer’s telemetry, logs, alerts, configuration, business and IT profile, evidence, or other Customer Data, we act as a processor on the customer’s behalf. Processing in that role is governed by our agreement with the customer (including the Data Processing Agreement) and by the customer’s instructions, not by this Privacy Policy. If you are an end user of one of our customers and have questions about how your data is processed, please contact that customer directly.

This Privacy Policy describes our practices in our controller capacity.

2. Personal Data we collect

We collect Personal Data relating to you (“Personal Data”) as described below:

Personal Data You Provide: We collect the following Personal Data when you create an account, request a demo, request the Security Report, or otherwise communicate with us:

  • Account Information: When you create an account or sign an Order Form, we collect information associated with your account, including your name, business contact information, account credentials, billing details, and transaction history (collectively, “Account Information”). Card data is processed by our payment processor; we do not store full card numbers on our systems.
  • Customer Content (controller scope): Information you submit to us in connection with the website or our sales process, such as the contents of contact forms, demo requests, or feedback (“Customer Content”).
  • Communication Information: If you communicate with us, we collect your name, contact information, and the contents of any messages you send (collectively, “Communication Information”).
  • Social Media Information: We currently maintain a presence on LinkedIn. When you interact with our LinkedIn page, we collect Personal Data that you choose to provide to us, such as your contact details (collectively, “Social Media Information”). LinkedIn may also provide us with aggregate information and analytics about our page activity.
  • Other Information You Provide: We collect other information that you may provide to us, such as when you participate in our events, surveys, webinars, or trials (collectively, “Other Information You Provide”).

Personal Data We Receive Automatically From Your Use of the Services: When you visit, use, or interact with the Services, we receive the following information (“Technical Information”):

  • Log Data: Information that your browser or device automatically sends when you use our Services. Log data includes your IP address, browser type and settings, the date and time of your request, and how you interact with our Services.
  • Usage Data: We may automatically collect information about your use of the Services, such as the pages and features you view, the actions you take, your time zone, country, dates and times of access, user agent, type of computer or mobile device, and connection information.
  • Device Information: Includes the type of device, operating system, device identifiers, and browser you are using. Information collected may depend on the type of device you use and its settings.
  • Cookies and similar technologies: We use a small set of strictly necessary cookies and similar technologies to operate and secure our website and the Services. We do not currently use non-essential analytics or advertising cookies.

Personal Data We Receive From Other Sources: We may receive information from trusted partners, such as security partners (for fraud, abuse, and threat protection), and from publicly available sources, in particular for B2B prospecting and account verification.

3. How we use Personal Data

We use Personal Data for the following purposes:

  • To provide, maintain, and secure our Services and our website;
  • To provision and bill your account, send service notices, and respond to your support and sales requests;
  • To prevent fraud, abuse, criminal activity, or misuse of our Services, and to protect the security of our systems, our customers, and the Services;
  • To improve and develop our Services, including security operations capabilities, using aggregated and de-identified operational metadata that does not identify you, your employer, or any individual;
  • To communicate with you about CloudSoul, including by sending you information or marketing about our Services and events, where permitted by law and subject to your right to object or unsubscribe at any time;
  • To comply with legal obligations and to protect the rights, privacy, safety, or property of our users, of CloudSoul, or of any third party.

Aggregated or de-identified information. We may aggregate or de-identify Personal Data so that it can no longer be used to identify you and use this information to analyse the effectiveness of our Services, to improve and add features (in particular detection and response capabilities), to conduct research, and for other similar purposes. We will maintain and use de-identified information in anonymous or de-identified form and will not attempt to re-identify it, unless required by law.

No sale of Personal Data. We do not sell Personal Data, and we do not use Personal Data to train artificial intelligence or machine learning models that are made available to third parties.

Where the EU General Data Protection Regulation (GDPR) or equivalent law applies to our processing as controller, we rely on the following legal bases:

  • Contract (Art. 6(1)(b) GDPR): to provide the Services, manage your account, process payments, and respond to your requests.
  • Legitimate interests (Art. 6(1)(f) GDPR): to secure our Services, prevent fraud and abuse, conduct B2B prospecting, run service-related analytics on aggregated metadata, and improve our Services. We balance our interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c) GDPR): to comply with applicable law and lawful requests from authorities.
  • Consent (Art. 6(1)(a) GDPR): for any processing for which we ask your specific consent (for example, certain marketing communications). You can withdraw consent at any time.

5. Disclosure of Personal Data

In certain circumstances we may disclose your Personal Data to:

  • Vendors and Service Providers (sub-processors): To assist us in providing the Services and operating our business, we engage a limited number of vetted vendors, including providers of EU hosting, customer support tooling, billing, email delivery, and meeting scheduling. These parties access, process, or store Personal Data only in the course of performing their duties to us and under written contracts that include appropriate data-protection terms. The current list of sub-processors used to operate the CloudSoul Platform is available through the CloudSoul Trust Centre or on request at privacy@cloudsoul.net.
  • Business transfers: If we are involved in strategic transactions, reorganisation, bankruptcy, receivership, or transition of service to another provider (collectively, a “Transaction”), your Personal Data and other information may be disclosed in the diligence process with counterparties and others assisting with the Transaction, and transferred to a successor or affiliate as part of that Transaction along with other assets.
  • Government authorities or other third parties: We may share your Personal Data with government authorities or other third parties (i) if required to do so by law or in the good-faith belief that such action is necessary to comply with a legal obligation, (ii) to protect and defend our rights or property, (iii) if we determine, in our sole discretion, that there is a violation of our terms, policies, or the law, (iv) to detect or prevent fraud or other illegal activity, (v) to protect the safety, security, and integrity of our products, employees, or users, or the public, or (vi) to protect against legal liability.

6. Data residency and international transfers

CloudSoul operates the Services from infrastructure located within the European Union. Customer data is hosted in an EU region and does not leave the EU/EEA in the ordinary course of operating the Services. Our default sub-processors are also located within the EU/EEA.

Where, exceptionally, Personal Data must be transferred outside the EEA, Switzerland, or the UK (for example, to a support contact based outside the EU), we rely on the European Commission’s adequacy decisions on certain countries and, for other jurisdictions, on the Standard Contractual Clauses approved by the European Commission and any applicable country addenda. For more information on, or to obtain a copy of, the appropriate safeguards we have in place, please contact us at privacy@cloudsoul.net.

7. Retention

We retain your Personal Data for only as long as necessary to provide our Services to you, or for other legitimate business purposes such as resolving disputes, safety and security reasons, or complying with our legal obligations. How long we retain Personal Data will depend on a number of factors, such as:

  • Our purpose for processing the data (such as whether we need to retain the data to provide our Services);
  • The amount, nature, and sensitivity of the data;
  • The potential risk of harm from unauthorised use or disclosure of the data;
  • Any legal requirements that we are subject to (for example, mandatory retention of accounting records).

For data processed on customers’ behalf as a processor, retention is governed by the relevant customer agreement.

8. Your rights

You have the following statutory rights in relation to your Personal Data, where they apply under your local law:

  • Access your Personal Data and information relating to how it is processed.
  • Request deletion of your Personal Data from our records.
  • Rectify or update your Personal Data.
  • Receive your Personal Data in a portable format (right to data portability).
  • Restrict how we process your Personal Data.
  • Withdraw your consent, where we rely on consent as the legal basis for processing, at any time.

You also have the right to:

  • Object to our processing of your Personal Data for direct marketing at any time.
  • Object to processing of your Personal Data when our processing is based on our legitimate interests.
  • Lodge a complaint with the supervisory authority in your country of residence. The Luxembourg supervisory authority is the Commission nationale pour la protection des données (CNPD).

To exercise any of these rights, contact us at privacy@cloudsoul.net. If your request relates to data we process as a processor on a customer’s behalf, we will refer you to that customer.

9. Children

Our Services are intended for use by businesses and their authorised personnel. We do not direct our Services to children and do not knowingly collect Personal Data from individuals under the age of 16. If you believe that an individual under 16 has provided Personal Data to CloudSoul, please email us at privacy@cloudsoul.net and we will investigate and, if appropriate, delete the Personal Data from our systems.

10. Security

CloudSoul implements appropriate technical and organisational measures to protect Personal Data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit, access controls, logging, vulnerability management, and secure development practices, and are operated by our EU-based security operations team.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will post an updated version on this page and update the “Last updated” date above, unless another type of notice is required by applicable law.

12. How to contact us

The data controller is CloudSoul S.à r.l., 9 Rue du Laboratoire, L-1911 Luxembourg, Grand Duchy of Luxembourg.

For privacy questions or to exercise your rights, contact our privacy team (also acting as the point of contact for data-protection matters) at privacy@cloudsoul.net. For general questions, write to info@cloudsoul.net.