In TrustSig, as a cybersecurity company, we understand the importance of personal data protection well. We want to explain to you in this Privacy Notice how TrustSig OÜ ("we" or "our" or "us" or "TrustSig") collects and processes the personal data of the visitors of the trustsig.eu (and DNS alias trustsig.ee) website and of the TrustSig service clients.
This Privacy Notice concerns you when you are viewing the website or are an actual client of TrustSig services. We will refer to any visitor and client as “you”, "your" or the “data subject”.
TrustSig is a data controller for all information that is processed when you visit our website. This means that we are responsible for making clear what is the purpose of processing and how is processing of personal data done on our homepage.
TrustSig is a data processor for all personal information that is processed when a TrustSig client uses our bot mitigation and fraud protection services. This means that we are responsible for following TrustSig client's, i.e. data controller's requirements and guidelines.
Whenever we amend this notice, the changes will be published here on our website.
What personal data we process
TrustSig website visits, communication and entering into contract
We may process the following categories of personal data of you as the data subject:
-
Website usage data (without identifying the actual person):
- Visitor’s external/public IP-address or corresponding hostname
- Visitor’s web browser user-agent string
- Web site usage info
-
Data related to visitors inquiries and communication:
- First and last name
- E-mail address
- Communication data
-
Client-related personal data for business conduct (business contacts):
- First and last name
- Personal ID-code
- Business e-mail address
- Business phone number
- Role or job position
- Communication data
Using TrustSig's bot mitigation and fraud protection services
Bot Mitigation Services
In the context of bot mitigation services, we act exclusively as a data processor and process personal data solely on behalf of and under the documented instructions of the data controller. Within this service:
- We do not process direct identifiers
- We do not intentionally process sensitive indirect identifiers
- We do not collect, obtain, or retain additional information that would enable the attribution of web sessions to identified or identifiable natural persons
- We do not perform any attribution of web sessions to specific data subjects
If the data controller combines the processed data with other information under its control in a manner that enables identification, such processing is carried out under the data controller’s sole responsibility. The data controller’s privacy regulations applies to such processing.
Fraud Protection Services
The purpose of the fraud protection service is to determine whether a specific user or session is malicious. In this context, we act as a data processor and process personal data strictly in accordance with the data controller’s documented instructions. Depending on the data controller’s configuration and instructions, processing may include:
- Certain direct and indirect identifiers
- Session-related usage data necessary to detect and prevent fraudulent or malicious activity
The categories of personal data processed are determined by the data controller and specified in the applicable data processing agreement (DPA).
For any use cases described above, we do not process special categories of personal data. If such data is submitted by visitors or clients, we will not process it and will delete it without undue delay.
Purpose and legal basis for processing
When you visit our website, communicate with us or enter into contract
As a data controller, we process personal data for the following purposes and on the following legal bases:
-
Ensuring the security, integrity and proper functioning of our website, including detection and prevention of misuse or attacks.
→ Legal basis: Legitimate interests, namely ensuring information security and service reliability. -
Responding to inquiries and communication requests submitted by visitors or clients.
→ Legal basis: Performance of a contract or steps prior to entering into a contract, where the inquiry relates to our services; or legitimate interests, namely managing and responding to communications. -
Providing and managing TrustSig services.
→ Legal basis: Performance of a contract. -
Billing, accounting and compliance with statutory obligations.
→ Legal basis: Compliance with a legal obligation.
When using TrustSig services
As data processors, when TrustSig provides bot mitigation and fraud protection services, we process personal data solely on behalf of and under the documented instructions of our client, who acts as the data controller. In such cases, the purpose and legal basis for processing are determined by the client, not by TrustSig. TrustSig does not determine the purposes or essential means of such processing.
How do we process your personal data
We process the personal data as follows:
- All data is processed in electronic format.
- You, the data subject(s), are instructed to read this Privacy Notice when we establish contact with you.
- We process the data subject’s personal data in accordance with the requirements of the GDPR.
-
On our homepage, we do not use:
- Cookies
- Automated decision-making systems for marketing activities
- Visitor profiling for marketing activities
-
We set up the following retention policies for the personal data:
- 15 years for personal data related to security incidents or data breaches
- 10 years for personal data needed for the performance of the contract (started from the end of the financial year)
- 1 year for web server statistical report of top visitors and their request counts
- 3 months for web server logs.
- While providing bot mitigation and fraud protection services as data processor, we follow the retention requirements of the data controller.
We are not obliged to preserve the personal data of the data subjects longer as indicated above, unless required by applicable law.
Sub-Processors
TrustSig may use the following sub-processors, all ISO27001 and SOC2 certified:
- Cloud IT infrastructure service providers, such as Amazon, Cloudflare, Zone Media
- Cloud collaboration providers, such as Google
Your rights
You as the data subject are entitled, at any time and in accordance with GDPR, to:
- Request information about your personal data processing
- Request access to or copy of your personal data
- Rectify inaccurate or incomplete personal data
- Request that we erase your personal data where it applies
In order to exercise these rights, the data subject shall forward respective applications to info@trustsig.eu
Security of your personal data
We implement organisational, physical and technical security controls based on ISO/IEC 27001 standard to make sure that your personal data is secure.
If any have concerns about any suspicious activity related to the confidentiality, integrity or availability of the personal or other data of you or other data subjects, please contact us on security@trustsig.eu.
As data controllers, we will promptly notify you, the data subject(s), of any information we have concerning any personal data breach, which is likely to result in a high risk to your rights. In doing that, we will communicate in clear and plain language the nature of the breach and describe the likely consequences. We will also explain measures to limit the negative effects of the event for the data subject(s). As data processors, we are obliged to inform the data controller.
Transferring or disclosing
TrustSig will not forward, sell or disclose the personal data to third parties without informing you. See also the sub-processors section.
There may be circumstances when we are required to disclose personal data by law or governmental authorities. This is done in accordance with GDPR.
Contacts
The best way to contact us for any data protection related inquiry is the email: info@trustsig.eu.
Other contact details:
TrustSig OÜ
Vabaduse pst 174b, 10917 Tallinn, Estonia
Reg.no: 16811982
Complaints
All your complaints and comments are welcome to us in the first hand. If you still wish to exercise your right to lodge a complaint to the supervisory authority, here are the contacts of the Estonian Data Protection Inspectorate:
www.aki.ee/en/contact.