This policy describes how Pentest People aims to provide you with information about how we are handling or intend to handle personal information.
Regulation (EU) 2016/679 of the European Parliament (the General Data Protection Regulation (‘GDPR’)) and the Data Protection Act 2018 (referred to as Data Protection law) oblige us to provide you with information about how and why we use personal data. We recognise our obligations and your legal rights set out in the Data Protection Law.
Pentest People is a Penetration Testing and Cyber Security Services organisation (company number 10661715) with registered office at Round Foundry Media Centre, Foundry Street, Leeds, LS11 5QP. Pentest People is the data controller of all personal data processed by us.
Registration with the Information Commissioner’s Office
For the purpose of the Data Protection Act (2018) Pentest People is registered as a data controller with the Information Commissioners Office.
Personal Data Processed
We collect, store and process personal data for several purposes, mainly client management, client relationship, contract performance, sales opportunities, marketing, service delivery, product development and feedback, finance and invoices.
Pentest People may share data with the following organisations and for the lawful reasons shown:
Xero – Accounting Software
Zoho – CRM Software
Pentest People may use third-party organisations to process personal data under a written contract which incorporate stringent data protection requirements. Pentest People only employ organisations that comply with the provisions of the GDPR. These organisations may be audited to ensure compliance.
Automated Decision-Making and Profiling
Pentest People does not transfer any personal data outside of the EEA.
Pentest People will hold your personal data for the length that it is required to provide you with our services in accordance with our Data Retention Policy. We may be required to retain some of your data after this time, for a set period, for us to meet our legal obligations including resolving any follow-up issues.
You have the following rights concerning your personal data:
You have the right to obtain confirmation from Pentest People as to whether or not personal data concerning you are being processed, and, where that is the case, access to that personal data.
You have the right to oblige Pentest People to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement.
You have the right (under certain circumstances, but not all) to oblige Pentest People to erase personal data concerning you.
You have the right (under certain circumstances, but not all) to oblige Pentest People to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you.
You have the right (under certain circumstances, but not all) to oblige Pentest People to provide you with the personal data about you which you have provided to Pentest People in a structured, commonly used and machine-readable format. You also have the right to oblige Pentest People to transmit those data to another controller.
If the lawful basis for processing is consent, you have the right to withdraw that consent.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing.
Pentest People does not perform any automated decision-making based on personal data that produces legal effects or similarly significantly affects you.
Your right to lodge a complaint with a supervisory authority
If you wish to exercise any of your rights concerning your personal data, you should contact Pentest People’s Data Protection Lead at the address provied above. If you are not satisfied with the response you receive you have the right to lodge a complaint with the supervisory authority. In the United Kingdom this is:
Information Commissioner’s Office
(t) 0303 123 1113
(e) [email protected]