Privacy Policy

At Cyberion, we are committed to protecting your privacy. This Privacy Policy explains how we collect, use, and disclose your personal information. By accessing or using our website and services, you consent to the terms of this Privacy Policy.
The website (hereinafter referred to as “the Site”) is operated by Cyberion. This Privacy Policy explains what Data is collected when the User uses the Services, and how it is processed.

This Privacy Policy may be amended from time to time to ensure compliance with applicable law.

The version applicable to the User is the one in force on the Site at the date of use of the Services.

1. Definitions

Terms beginning with a capital letter used in the singular or plural in the body of this Privacy Policy shall have the meanings given to them in the Terms of Use, or defined below:

Personal Data or Data: means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an “identifiable natural person” is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

Processing: means any operation or set of operations, whether or not carried out by automatic means, applied to Data or sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction;

Controller: means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the Processing;

Processor: means the natural or legal person, public authority, department or other body that processes Personal Data on behalf of the Controller.

2. Processing of Personal Data for which Cyberion is the Data Controller

Cyberion is the Controller of the Processing of the Data that the User communicates to it when using the Services.

Article 1. Personal data processed, purposes of processing and retention time

Personal Data is collected for specific, explicit and legitimate purposes.

Cyberion ensures that Personal Data are processed in an adequate, relevant and limited manner with regard to the purposes for which they are processed:

Table Header Table Header Table Header Table Header

Article 2. Recipients of personal data
None of the Personal Data concerning the User is transmitted to third parties, with the exception of Cyberion’s staff members or partners and subcontractors, solely for the purpose of carrying out the above-mentioned purposes and within the limits of the information strictly necessary for this purpose.

The User’s Personal Data is stored either in Cyberion’s databases or in those of its service providers, which are located in Switzerland or within the European Union.

The User’s Personal Data is not transferred outside of Switzerland or of the European Union.

Article 3. Data protection officer

The Data Protection Officer appointed by Cyberion can be contacted at the following address:

Article 4. Users’ rights

In accordance with the regulations concerning the Processing of Personal Data, the User has the following rights:

1. Right of access, rectification and deletion
The User may review, update, modify or request the deletion of his/her Personal Data. If he/she has one, the User has the right to request the deletion of his/her User Portal.

2. Right to Data Portability
The User has the right to request the portability of his/her Personal Data, held by Cyberion, to another operator.

3. Right to limit and oppose the processing of personal data
The User has the right to request the limitation of or to object to the Processing of his/her Personal Data by Cyberion, without Cyberion being able to refuse, unless it can demonstrate the existence of legitimate and compelling reasons that may override the interests and rights and freedoms of the User.

4. Exercise of rights

The User may, subject to the production of valid proof of identity, exercise his/her rights by contacting the Cyberion Data Protection Officer by email at

In order for Cyberion to comply with the request, the User is required to provide the following information: their first and last names as well as the e-mail address used on the Site.

Cyberion is required to respond to the User within 30 days.

If the User believes, after contacting Cyberion, that his/her rights have not been respected, he/she may submit a complaint to a supervisory authority.

3. Processing of personal data for which Cyberion is the processor

When performing the cyber risk assessment service, Cyberion acts as a Processor within the meaning of the regulations in force applicable to the Processing of Personal Data, and solely on the instructions of the Company acting via the User, which acts as the Data Controller.

Article 1. Description of the processing by Cyberion

Cyberion is authorized to process on behalf of the Company the Personal Data necessary to provide the following services: external vulnerability scan to identify all the vulnerabilities and cyber risk exposure of the Company and to propose an insurance contract.

Article 2. Duration of the contract
This Privacy Policy is effective upon acceptance by the User, as well as acceptance of the Terms of Use, for an indefinite period.

Article 3. Cyberion’s obligations towards the company

Cyberion is committed to :

1. Process the Data only for the identification, analysis and presentation to the User of the vulnerabilities and cyber risk exposure of the Company and the provision of prevention services.

2. Process the Data in accordance with the Company’s documented instructions, as described in the Terms of Use. If Cyberion considers that an instruction constitutes a breach of the data protection regulation, it shall immediately inform the Company.

3. Guarantee the confidentiality of the Personal Data processed.

4. Ensure that persons authorized to process Personal Data under this Agreement are committed to confidentiality or are subject to an appropriate legal obligation of confidentiality receive the necessary training in the protection of personal data

5. Take into account the principles of data protection by design and data protection by default for its tools, products, applications or services.

Article 4. Subsequent processing

Cyberion is authorized to use the following entities to conduct the Processing activities described below (hereinafter, the “Subsequent Processors”):

• Xano: Hosting Personal Data;
• Hubspot: Hosting Personal Data;
• Bastion: Light vulnerability scan, cyber risk assessment & prevention services;
• Helvengo: Insurance Broker;
• Usecure: Phishing and cyber training services.

Subsequent Processors are required to comply with the obligations of this contract on behalf of and according to the instructions of the Company. It is Cyberion responsibility to ensure that Subsequent Processors present the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets regulatory requirements. If Subsequent Processors do not fulfil their data protection obligations, Cyberion remains fully responsible to the Company for the Subsequent Processors’ performance of their obligations.
Article 5. Right to information of the data subject
It is the Company’s responsibility to provide information to the persons concerned by the Processing operations.

It is the responsibility of the Company, in its capacity as Data Controller, to obtain any necessary consent from the natural persons concerned, in correlation with the purposes of the Processing pursued.

Article 6. Exercise of the rights of data subjects

The persons whose Data have been collected must assert their rights directly to the Company, which, after studying the admissibility of the request, undertakes to comply with it within the regulatory time limits.

Insofar as possible, Cyberion shall assist the Company in fulfilling its obligation to respond to requests to exercise the rights of data subjects.

When the persons concerned make requests to Cyberion to exercise their rights, Cyberion must send these requests as soon as they are received by e-mail to the contact address given on the User’s User Portal.

Article 7. Notification of personal data breaches

Cyberion shall notify the Company of any violation of Personal Data within a maximum of 24 hours of becoming aware of it, via the contact address provided on the User’s Personal Space.

This notification shall be accompanied by any useful documentation to enable the Company, if necessary, to notify the competent supervisory authority of the breach.

It is the Company’s responsibility to alert, if necessary, the competent supervisory authority and/or the persons concerned, and to comply with its obligations.

Article 8. Assistance from Cyberion in the context of the Company’s compliance with its obligations

Cyberion assists the Company in carrying out data protection impact assessments.

Cyberion assists the Company in carrying out the prior consultation with the supervisory authority.
Article 9. Security measures
Cyberion undertakes to put in place all the necessary means to ensure the confidentiality and security of the Data, so as to prevent their damage, deletion or access by unauthorised third parties.

Cyberion’s technical and organizational measures are as follows:

1. Commitment to confidentiality of its employees
Through the employment contract, the Cyberion employee undertakes to respect the rules and procedures in force in the company, particularly with regard to:
• Professional secrecy;
• Professional and loyal behaviour towards the company.

2. Awareness-raising and training activities on the security of personal data
All Cyberion employees arriving on the project are made aware of security. A presentation of the objectives, individual roles and responsibilities and the security procedures is made.

3. Management of access accounts and authorisation
The security of information and access is managed by the system administrators. They create nominative access with strong passwords for all the tools used by Cyberion.

4. Confidentiality of processed data
Cyberion is committed to :
• Not to make any copies of the documents and data carriers entrusted to it, except those necessary for the performance of the service;
• Not to use the processed documents and information for purposes other than those defined by the Company;
• Not to divulge this information to other persons, whether private or public, natural or legal persons, for the duration of the service.

Article 10. Disposition of data

At the end of the services provided in relation to the Processing of this Data, Cyberion undertakes to destroy all personal Data relating to the Company and the User, with the exception of those whose retention beyond the contractual relationship is authorized by law, by the legitimate interests of Cyberion or by the Company and the User.

Once the Data has been destroyed, Cyberion must justify the destruction in writing.

Article 11. Records of processing activities

Cyberion declares that it keeps a written record of all Processing activities carried out on behalf of the Company including:

• The name and contact details of the Company on whose behalf it is acting, the identification data of the User, any sub-processors and the Data Protection Officer;
• The categories of Processing carried out on behalf of the Company;
• As far as possible, a general description of the technical and organisational security measures.

Article 13. Documentation

Cyberion shall make available to the Company the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the Company or another auditor it has commissioned, and to contribute to these audits.

Article 14. Obligations of the Company towards Cyberion

The Company agrees to:

• Document in writing the instructions concerning the Processing of Data by Cyberion in particular by keeping a copy of the Terms of Services;
• Ensure, beforehand and throughout the duration of the Processing, that Cyberion complies with its regulatory obligations;
• Supervise the Processing, including conducting audits and inspections at Cyberion.