Privacy Policy

Introduction

This policy describes how Pentest People aims to provide you with information about how we are handling or intend to handle personal information.

Regulation (EU) 2016/679 of the European Parliament (the General Data Protection Regulation (‘GDPR’)) and the Data Protection Act 2018 (referred to as Data Protection law) oblige us to provide you with information about how and why we use personal data. We recognise our obligations and your legal rights set out in the Data Protection Law.

About Us

Pentest People is a Penetration Testing and Cyber Security Services organisation (company number 10661715) with registered office at Round Foundry Media Centre, Foundry Street, Leeds, LS11 5QP. Pentest People is the data controller of all personal data processed by us.

Registration with the Information Commissioner’s Office

For the purpose of the Data Protection Act (2018) Pentest People is registered as a data controller with the Information Commissioners Office.

Personal Data Processed

We collect, store and process personal data for several purposes, mainly client management, client relationship, contract performance, sales opportunities, marketing, service delivery, product development and feedback, finance and invoices.

Pentest People may share data privacy policy with the following organisations and for the lawful reasons shown:

Xero – Accounting Software
Zoho – CRM Software

Sub-contract Processing

Pentest People may use third-party organisations to process personal data under a written contract which incorporate stringent data protection requirements. Pentest People only employ organisations that comply with the provisions of the GDPR. These organisations may be audited to ensure compliance. We periodically appoint digital marketing agents to conduct marketing activity on our behalf, such activity may result in the compliant processing of personal information and these agents may share personal data with Pentest People. A Full list of sub processors is available on request.

Automated Decision-Making and Profiling

Pentest People does not undertake any automated decision-making or profiling. However, if circumstances change, we will inform you via updating our privacy policy.

International Transfers

Pentest People does not transfer any personal data outside of the EEA.

Data Retention

Pentest People will hold your personal data for the length that it is required to provide you with our services in accordance with our Data Retention Policy. We may be required to retain some of your data after this time, for a set period, for us to meet our legal obligations including resolving any follow-up issues.

Your Rights

You have the following rights concerning your personal data:

Right of access

You have the right to obtain confirmation from Pentest People as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data.

Right to rectification

You have the right to oblige Pentest People to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement.

Right to erasure (right to be forgotten)

You have the right (under certain circumstances, but not all) to oblige Pentest People to erase personal data concerning you.

Right to restriction of processing

You have the right (under certain circumstances, but not all) to oblige Pentest People to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you.

Right to data portability

You have the right (under certain circumstances, but not all) to oblige Pentest People to provide you with the personal data about you which you have provided to Pentest People in a structured, commonly used and machine-readable format. You also have the right to oblige Pentest People to transmit those data to another controller.

Right to withdraw consent

If the lawful basis for processing is consent, you have the right to withdraw that consent.

Right to object to direct marketing

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing.

Rights in relation to automated decision making and profiling

Pentest People does not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you.

Your right to lodge a complaint with a supervisory authority

If you wish to exercise any of your rights concerning your personal data, you should contact Pentest People’s Data Protection Lead at the address provied above. If you are not satisfied with the response you receive you have the right to lodge a complaint with the supervisory authority. In the United Kingdom this is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

(t) 0303 123 1113
(e) [email protected]