GDPR & Data Protection

When ShieldOps is a data controller. ShieldOps acts as a data controller for personal data we collect about our website visitors, prospective customers, and account holders — specifically: contact information, billing data, and account credentials. As controller, we determine the purposes and means of processing this data.

When ShieldOps is a data processor. When you use the ShieldOps platform to process security telemetry, log data, or other information that may contain personal data about individuals in your organisation (e.g., employee login records, endpoint activity), ShieldOps acts as a data processor on your behalf. You, as the customer, are the data controller for this data. We process it solely on your documented instructions.

A Data Processing Agreement (DPA) is available for execution upon request. Enterprise customers may request a DPA via legal@shieldops.io. The DPA incorporates the Standard Contractual Clauses (SCCs) approved by the European Commission under Decision 2021/914 for international data transfers.

ShieldOps relies on the following legal bases under Article 6 GDPR:

• •Contract performance (Art. 6(1)(b)): Processing your account data and security telemetry is necessary to fulfil our contractual obligations to you.
• •Legitimate interests (Art. 6(1)(f)): We process platform usage analytics, security logs of our own infrastructure, and fraud prevention data based on our legitimate interest in operating a secure, reliable service.
• •Legal obligation (Art. 6(1)(c)): We process and retain certain data as required by applicable tax, financial, and regulatory laws.
• •Consent (Art. 6(1)(a)): We rely on consent for non-essential cookies and for marketing communications. Consent is freely given, specific, informed, and withdrawable at any time.

Under GDPR, individuals whose personal data we process as a controller have the following rights. To exercise any right, submit a request to legal@shieldops.io with the subject line 'Data Subject Request'. We will respond within 30 days (extendable by 60 days for complex requests, with notice).

• •Right of access (Art. 15): Obtain confirmation of whether we process your personal data and receive a copy.
• •Right to rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
• •Right to erasure (Art. 17): Request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent.
• •Right to restriction (Art. 18): Request that we restrict processing while a dispute about accuracy or legitimate interests is resolved.
• •Right to data portability (Art. 20): Receive your personal data in a structured, machine-readable format and have it transferred to another controller where processing is based on consent or contract.
• •Right to object (Art. 21): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• •Rights related to automated decisions (Art. 22): Not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

ShieldOps is headquartered in the United States. When we transfer personal data from the EEA, UK, or Switzerland to the US or other third countries, we rely on the following transfer mechanisms:

Standard Contractual Clauses (SCCs). All transfers to our US parent entity and to US-based subprocessors are governed by the EU SCCs (2021/914) or the UK Addendum to those clauses. These clauses are incorporated into our DPA.

EU-US Data Privacy Framework. Where applicable, ShieldOps and its US subprocessors rely on certification under the EU-US Data Privacy Framework as an additional transfer mechanism.

Customers requiring data residency within the EEA should contact sales@shieldops.io to discuss our EU-hosted deployment option, which ensures all customer data remains within [CUSTOMISE: your primary cloud provider and EU region(s)].

We apply retention periods based on the category of data and the legal basis for processing:

• •Account and billing data: retained for 7 years from the last invoice to meet statutory accounting obligations.
• •Platform usage logs: retained for 12 months from collection, then automatically deleted.
• •Security telemetry (customer data, processed as processor): retained per the customer's subscription tier and configuration, up to 7 years on Enterprise plans.
• •Support communications: retained for 3 years from the resolution of the support case.
• •Marketing consent records: retained for 5 years from the date of consent to demonstrate compliance.

ShieldOps has appointed a Data Protection Officer (DPO) as required under GDPR Article 37. Our DPO oversees our data protection programme, advises on privacy-by-design for new features, and serves as the point of contact for supervisory authorities.

You can contact our DPO directly at: dpo@shieldops.io. All data subject requests, privacy concerns, and supervisory authority enquiries should be directed to this address.

If you believe we have not handled your personal data in accordance with applicable data protection law, you have the right to lodge a complaint with your local supervisory authority. For EEA residents, this is typically the data protection authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement. [CUSTOMISE: your lead supervisory authority — e.g. given that our EU entity (REPLACE WITH YOUR EU ENTITY (e.g. ShieldOps EU Ltd, Ireland)) is established in Ireland, our lead authority would be the Irish Data Protection Commission]. UK residents may complain to the Information Commissioner's Office (ICO). We encourage you to contact us directly first, as we are committed to resolving complaints promptly.