Privacy Policy

1. Data controller

Emanuel Covasa, trading as CyberSage, based in County Leitrim, Ireland, is the data controller for all personal data collected through this website and the consultancy service. For all data-protection enquiries, contact contact@cybersage.dev. We do not currently operate a separate Data Protection Officer; enquiries are handled by the controller personally.

2. What personal data we collect

• Enquiry data: name, organisation, email, phone (optional), and the content of your message — collected when you submit the contact form or email directly.
• Engagement data: information provided under a signed engagement agreement — typically scope documents, target assets, credentials or access tokens required for testing, and interim findings. See §7 for how this data is handled.
• Technical data: access logs from the hosting provider (IP address, user agent, timestamp, requested URL). Retained by the hosting provider per its own policy.
• No profiling cookies: this site does not set advertising or tracking cookies. Essential functional cookies (if any) are limited to strictly necessary operation.

3. Why we process it (lawful basis)

Under GDPR Article 6 we rely on the following legal bases:

• Article 6(1)(b) — performance of a contract: processing needed to scope, deliver, and bill an engagement.
• Article 6(1)(a) — consent: responding to unsolicited enquiries from prospective clients; marketing follow-up.
• Article 6(1)(f) — legitimate interests: running a professional-services practice, preventing fraud, securing the site itself.
• Article 6(1)(c) — legal obligation: tax records, anti– money-laundering, and other statutory retention.

4. How long we keep it

• Unsuccessful enquiries: 24 months, then deleted.
• Active client records: for the life of the engagement plus six years (Irish tax + contractual limitation period).
• Engagement artefacts (test evidence, screenshots, credentials): securely destroyed within 30 days of final-report delivery unless the client instructs otherwise in writing.
• Server access logs:as per the hosting provider's policy (typically 30–90 days).

5. Who we share it with

We do not sell personal data. We share data only with processors acting under written agreement and only to the extent needed:

• Email / transactional mail providers for correspondence.
• Hosting provider for site delivery (currently EU-based).
• Secure storage providers for engagement deliverables (EU-based, encrypted at rest).
• Accountant / tax adviser for statutory compliance — limited to invoice and contact data.

6. International transfers

By default, personal data stays within the European Economic Area. Where a processor is outside the EEA, transfers rely on the EU Commission's Standard Contractual Clauses and, where applicable, an adequacy decision. We will inform you in writing before any engagement that requires a non-EEA processor.

7. Engagement data — how we handle client systems and test evidence

Penetration testing inherently touches sensitive infrastructure. CyberSage applies the following baseline controls on top of whatever the signed engagement agreement specifies:

• Authorisation: no testing begins without a written, scoped Rules of Engagement signed by an authorised client representative (see Terms §3).
• Credentials + tokens: stored encrypted, used only within the engagement, revoked or destroyed within 30 days of final-report delivery.
• Evidence isolation:screenshots, proof-of-concept code, and extracted data are held in an engagement-specific encrypted vault segregated from other clients' work.
• No training: engagement data is never used to train AI models or retained in AI conversation history beyond the active session needed to produce the deliverable.
• Incidental personal data:any personal data discovered during testing (for example in database dumps) is handled as a processor under the client's controllership, referenced generically in reports, and destroyed with other engagement artefacts.

8. Your rights

Under GDPR Articles 15–22 you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase data where we no longer have a lawful basis to keep it.
• Restrict or object to processing.
• Receive your data in a portable, machine-readable format.
• Withdraw consent at any time where processing is based on consent.

Requests go to contact@cybersage.dev. We will respond within 30 days (extendable to 90 days for complex requests, with notice).

9. Complaints

You may lodge a complaint with the Irish Data Protection Commission (DPC) at any time: dataprotection.ie. We ask that you contact us first so we can try to resolve the issue directly.

10. Security

We maintain technical and organisational measures appropriate to the risk: encryption at rest and in transit, least-privilege access, MFA on all administrative accounts, dedicated hardware for engagement work, and regular review of our own security posture. Despite these controls, no system is perfectly secure. If a breach occurs, we will notify affected clients and, where applicable, the DPC within 72 hours as required by GDPR Article 33.

11. Children

CyberSage is a business-to-business service. We do not knowingly collect personal data from individuals under 16. If you believe a minor has submitted data to us, contact contact@cybersage.dev and we will delete it.

12. Updates to this notice

We will update this notice as our practices, processors, or legal obligations change. Material changes will be announced at the top of this page. The “Last updated” date above reflects the most recent revision.