Skip to content
English
Privacy Policy

Latest Update: Mars 22, 2024

Download PDF

This Privacy Policy describes our handling of personal information in the course of our business activities, including, in the Cyber PNM Solution, which includes our web application, and the Athena, Vesta, Cyto, Nyx, Odin and Thot services. It also applies to our investigative services, and our other related services (together, our "Services"). This page is also designed to help you understand and exercise your privacy rights.

You can reach our Privacy Officer and our Data Protection Officer by e-mail or by mail using the following contact information:

Privacy Officer / Data Protection Officer

By mail at:
Cyber PNM, Inc.
355 rue Peel, office 208
Montréal, QC
H3C 2G9, Canada

By e-mail: privacy@cyberpnm.com

When applicable, we are the processor of your personal data. This means that we process it based on our clients’ instructions. Our clients are the controllers of your personal data. You should refer to them if you have more specific questions on how they process your personal data.

1. When is this Privacy Statement applicable?

This Privacy Statement applies to our commercial and professional services, including Cyber PNM Solution.

Our clients are generally employers who use our Cyber PNM Solution to help their employees and stakeholders remain secure by monitoring their identity. The Cyber PNM Solution requires the processing of personal data for its functionalities and related services, such as:

  • When you use our Solution for the creation and management of your user accounts.
  • Providing technical support to administrative users.
  • Conducting inquiry on potential or actual fraud and identity theft.
  • Providing risk elements regarding your personal data on the dark web.
  • Obtaining threat intelligence on the use of your personal data.
  • During our private investigations or when we assist you following a security breach.
  • Providing you with a risk score based on your digital footprint.
  • Provide our customer with an aggregated risk score for the organization.
  • Monitoring users’ IDs and other identifiers.

This policy covers our processing of personal data, meaning information that directly or indirectly identifies an individual. However, some of this data may not be entirely covered under privacy laws applicable to you, and you may not have the same rights for such data as we explain in this policy. In any case, we will attempt to help you when feasible.
There are a few cases when this Privacy Statement simply doesn’t apply:

  • To our advertising, marketing, digital practices, or other internal activities, such as employee management, requiring the processing of personal data.
  • To third-party services, technologies, or applications, including any social media widget.

In addition, this policy does not apply to the processing of personal data by our customers. Our customers may use our Services for a variety of reasons, including, to offer the Cyber PNM Solution to their employees. If applicable, please refer to their own privacy policy for more information.

2. Which personal data do we collect and why?

We collect personal data about you when you use the Cyber PNM Solution, such as the personal data that you input yourself, or which are generated about your use of the Cyber PNM Solution. To provide you with alerts and risk scoring on your digital footprint through monitoring, we also process public data about you which is available on monitored sources, including public forms and the dark net. We may also receive personal data about you from our clients, such as when they ask us to create accounts for you to access and use the Cyber PNM Solution (e.g., e-mail address, employer ID).

The Cyber PNM Solution can provide you with a risk rating on your digital footprints based on the alerts resulting from the monitoring. The risk ratings are provided based on output weighting, including the frequency and dates of alerts.

When we process your personal data based on your consent, you can always withdraw that consent, such as by using the functionalities in the Cyber PNM Solution or contacting us at privacy@cyberpnm.com.

We are the sub processor of personal data. This means that we process it based on our clients’ instructions. Our clients are the processors of your personal data, they are therefore responsible for determining the lawful basis of their collection.

Purpose of the collection Categories of personal data
To create your accounts, manage your accounts and provide you with alerts.
  • Credentials.
  • Employee ID.
  • Name of employer
  • Usage logs.
  • Consents.
To provide you with technical support services or otherwise respond to your requests.
  • The content of all technical support requests.
  • Your contact information, including, if applicable, your employer.
To provide you with reports or other outputs through the Cyber PNM Solution.
  • Your personal data available through monitored sources, including the underground Internet, as well as leaked data about you, such as social security numbers, credit card information, etc.
  • The content of the report, including your risk rating.
  • Your email address.

To conduct monitoring based on your instructions, including to prevent fraud and provide you with a risk score. You can see the importance of the alert in the Application.
  • Your risk profile.
  • Your public data, including leaked data about you, such as social security numbers, credit card information, etc.
  • Your number of data leaks.
  • Your alert results.
To provide you with a risk scoring based on our analysis of your digital footprint.
  • Browsing history.
  • Your alert results.
  • Your public data, including leaked data about you, such as social security numbers, credit card information, etc.
To provide professional services, such as digital investigations and fraud inquiry services, audit in case of identity theft.
  • Alert results.
  • Your public data, including leaked data about you, such as social
    security numbers, credit card information, etc.
  • Your risk scoring information.
  • Any additional information you share with us.
To provide training and customized services based on threat intelligence. To help you respond to the risks affecting your digital footprint, we can provide personalized training. If so, we will consider the alert results obtained about you, as well as your risk scoring. With your consent, we may consult the public data collected about you.

3. Do we use profiling technologies and automated decision-making?

With Cyber PNM Solution, you can get an overview of your risks and alerts for important events such as potential breaches. To do this, we need to create a profile of you, so that we can monitor it. We collect this profile only to provide you with the services you request through the Cyber PNM Solution, or according to your instructions. The risk scoring is assigned based on your alerts received, and Customer have limitations on the use of this functionality in any discretionary manner, including as part of any automated decision making (“ADM”). The risk scoring is intended as a gamification tool to assist in fraud prevention, and not as an ADM system, nor should it be used for this purpose by our clients.

4. How long do we keep your personal data?

We keep your personal data as long as necessary to fulfill the purpose for which it was collected.

Our clients can provision new accounts and delete accounts as necessary. When our service agreements with our clients are terminated or expired, we delete users’ personal data in accordance with such agreements. However, in certain circumstances, we must retain the personal data longer to comply with the law, or because it is required as part of legal proceedings, then we will retain a copy for this duration.

5. Where do we store your personal data?

We host personal data in Canada. However, some of our providers may be located outside of Canada. If your personal data is processed outside of the jurisdiction where you are located, you may have different rights to them. Your personal data that ends up on the dark Internet, or on monitored sources, is publicly available and we do not control in which jurisdiction it is located.

6. How do we protect your personal data?

Cyber PNM strives to protect personal data. We have implemented appropriate technical and organizational measures to ensure the confidentiality, integrity, and availability of your information. These measures include data encryption, access controls, regular security assessments, and adherence to industry best practices.

Our cloud service provider, AWS, is certified under several frameworks applicable to information security, including ISO 27001, ISO 27017, ISO 27018, SOC I, SOC II and SOC III. This means that we can obtain reports from independent third parties on their security measures, including the physical security measures in place at the data center’s location.

We use SSL and TLS encrypted for personal data in transit and store encryption keys in a different location than the personal data. We verify that our suppliers and licensors have adequate security testing, including penetration testing.

We work with information security consultants to develop and securely host our Cyber PNM Solution in the cloud environment of AWS.

7. With whom do we share your personal data?

We don’t sell your personal data as part of ad networks or commercialize them for other purposes than to provide our Services.

Below are the categories of third parties with whom we share personal data. We may also share it with other third parties based on your instructions, including to extract your personal data through your e-mail addresses.

  • Service Providers. We use service providers to provide us with various technology services, such as data hosting. Service providers provide a variety of services, such as data hosting (storing data and delivering the Services). Prior to sharing your personal data with service providers, we make sure that we have appropriate contracts with them and that they have adequate measures in place to protect your personal data.
  • Technical Support. To respond to your technical support requests, we may share some personal data with our licensors and service providers, including Anozr Way.
  • Clients. Our clients can allow you to access the Cyber PNM Solution so that you can monitor your digital risk. We do not share with our clients your browsing history, or other public data that we find about you when helping you manage your digital risks. However, we share with them an aggregated overview of the risk for each of their users based on all the output related to their professional email, so they can understand their overall risk posture and take actions, such as by providing customized trainings to their users.
  • Partners. When we perform cyber investigation, we may work with partners who can bring additional expertise, such as legal advisors. We will only share personal data with your prior consent, unless we are instructed by our clients, in which case they are responsible for the lawful basis for processing your personal data.
  • Law enforcement. With your consent, or otherwise on request if we reasonably believe that we are required to under applicable laws, we may share your personal data with law enforcement or the authorities under the law, then we will share such personal data, but only to the extent that we are required to do so.

Also, if we sell our business, or part of our business, or if we conduct a commercial transaction or reorganize our group of companies, we may disclose your personal data for this purpose.

8. What are your data-related rights and options?

You have rights with respect to your personal data. Your rights vary depending on the specific circumstances of your request, your location and the laws that apply to you. If we process your personal data based on your consent, you have the right to withdraw this consent. In most jurisdictions, your rights include the right to modify and access your personal data.

In the European Union and United Kingdom, your rights include:

The right to be informed about how we process your personal data.
  • The right to access your personal data.
  • The right to rectify personal data, such as if it is inaccurate.
  • The right to request the erasure of your personal data.
  • The right to request the portability of your personal data.
  • The right to object to the processing of your personal data.
  • The right to contest automated decision-making.
You can read this guide from the UK’S Information Commissioner Office for more information.

If you decide to exercise your rights, we may need to ask for additional personal data about you so that we can identify you prior to responding to your request. If we can’t comply with your request, we will explain why. We’ll try our best to get back to you in 30 days, or we will let you know if we need more time.

Please let us know if you have any concerns or complaints about how we process personal data by reaching out directly with our Privacy Officer. We will handle your complaint seriously and take the required actions.

If you disagree with our response, you have the right to challenge our decision or file a complaint with your local regulator. In Quebec, you may contact the Commission d’accès à l’information du Québec. In Canada, you may reach out to the Office of the Privacy Commissioner of Canada. If you are in the EU or if you are not satisfied with our response, let us know; we will investigate your concerns.

If you would like to exercise a right over your personal data, you can reach out at privacy@cyberpnm.com.

We will make sure to get back to you promptly. We may need to ask for more personal data about you to identify you and confirm your identity. We will not use this personal data for any other purposes.

If we can’t respond or agree to your request, we will explain to you why, and try to find a solution with you.

9. Can we update this Privacy Statement?

Absolutely! It is important for us to keep you informed about how we process your personal data. There are many reasons why we may change this Privacy Statement, such as a legislative change or a change in how we collect, use, or release your personal data.

You can see the latest update date at the beginning of this Privacy Statement.

We will inform you if we make material changes to the Privacy Statement.