Port Cyber Defense is a cybersecurity company. We hold ourselves to the standards we assess our clients against, and that includes how we handle personal data. This policy explains what we collect when you use port-cyber-defense.com, why we collect it, how long we keep it, and the rights you have over it.
This policy is written to satisfy Articles 13 and 14 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the French Loi Informatique et Libertés. It applies to this website only. It does not cover the GHOST RED platform, which is governed by the separate data processing agreement executed with each client.
The data controller for personal data collected through this website is:
We have not appointed a Data Protection Officer. Under Article 37 GDPR this is not required, as our core activities do not consist of large-scale systematic monitoring of individuals or large-scale processing of special category data. Privacy enquiries are handled directly at the address above.
We collect the minimum necessary. We do not run analytics or behavioural tracking on this site, we do not build advertising profiles, and we do not sell personal data to anyone.
| Data | Where from | Why | Legal basis |
|---|---|---|---|
| Name, email, company, service interest, message | Assessment request and contact forms | To answer your enquiry and, where relevant, take steps prior to entering into a contract | Art. 6(1)(b) — pre-contractual steps Art. 6(1)(f) — legitimate interest in responding to business enquiries |
| Name, email, company | Technical Brief download form | To deliver the requested document and identify who is evaluating our platform | Art. 6(1)(f) — legitimate interest in qualifying commercial interest |
| Data | Why | Legal basis |
|---|---|---|
| IP address, browser type, referring page, timestamps | Server logs, kept for security monitoring, abuse detection, and diagnosing faults | Art. 6(1)(f) — legitimate interest in network and information security |
| Security cookies set by our CDN and WAF provider | To distinguish legitimate visitors from automated attacks and to protect the site against denial-of-service traffic | Art. 6(1)(f) — legitimate interest in security; strictly necessary under the ePrivacy Directive and therefore exempt from consent |
| Advertising cookies and identifiers set by Google | To display advertising on our Blog and Education pages | Art. 6(1)(a) — your consent, collected before any advertising cookie is set |
We use two categories of cookie, and they are not treated the same way.
Strictly necessary cookies are set by our content delivery and web application firewall provider to keep the site available and to block malicious traffic. These are required for the site to function securely and are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive. They do not track you across other websites.
Advertising cookies are set by Google as part of Google AdSense, which we operate on our Blog and Education pages only. Our commercial pages carry no advertising. Google may use cookies, device identifiers, and IP address to serve and measure ads, and, where you consent, to personalise them.
If you are in the European Economic Area, the United Kingdom, or Switzerland, you will be shown a consent notice before any advertising cookie is placed. You may accept, refuse, or configure your choices, and you may change your decision at any time through that same notice. Refusing does not restrict your access to any part of this website. Where you refuse consent for personalisation, Google may still serve non-personalised or limited advertising, which relies only on contextual information and what is strictly necessary to deliver and count the ad.
You can review and adjust Google's use of your data at myadcenter.google.com, and read how Google processes data from partner sites at policies.google.com/technologies/partner-sites. Most browsers also allow you to block or delete cookies directly.
We keep the list short deliberately. Every organisation below acts either as our processor under a data processing agreement, or as an independent controller for its own defined purpose.
| Recipient | Role | Purpose |
|---|---|---|
| Form processing provider | Processor | Receives and relays submissions from our contact and download forms to our inbox |
| Hosting provider | Processor | Operates the servers on which this website runs and generates server logs |
| CDN and security provider | Processor | Delivers the site, filters malicious traffic, and mitigates denial-of-service attacks |
| Google Ireland Limited | Independent controller | Serves advertising on our Blog and Education pages, subject to your consent |
We do not share your personal data with anyone else. We do not sell it, rent it, or trade it. If we are ever legally compelled to disclose data — for example under a valid court order — we will do so only to the extent required, and will notify you unless legally prohibited from doing so.
Some of the providers listed above are established in, or operate infrastructure in, the United States. Where personal data is transferred outside the EEA, that transfer is protected by one or both of the following safeguards under Chapter V GDPR:
You may request further detail on the safeguards applying to a specific transfer by contacting us.
| Data | Retention |
|---|---|
| Contact and assessment enquiries | 24 months from last contact, then deleted |
| Technical Brief download records | 24 months from download, then deleted |
| Server and security logs | 12 months maximum, in line with CNIL guidance |
| Records required for accounting or legal defence | As required by French law, typically 10 years |
| Advertising cookies | As set by Google — see Google's own retention disclosures |
Under the GDPR you have the following rights over your personal data. They are free to exercise, and we will respond within one month of receiving your request.
To exercise any of these, email [email protected] with the subject line “GDPR Request”. We may ask you to verify your identity before we act, to make sure we are not disclosing your data to someone else.
Right to complain. If you believe we have handled your data unlawfully, you may lodge a complaint with the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr/en/plaintes — or with the supervisory authority in your country of residence. We would rather you came to us first, but that right is yours regardless.
We apply the controls we would expect of any organisation we assess:
No system is perfect, and we will not claim otherwise. In the event of a personal data breach presenting a risk to your rights and freedoms, we will notify the CNIL within 72 hours in accordance with Article 33, and notify you directly where Article 34 requires it.
This website is directed at security professionals and organisations. It is not intended for children, and we do not knowingly collect personal data from anyone under 15 — the age of digital consent in France under Article 8 GDPR as implemented in French law. If you believe a child has provided us with personal data, contact us and we will delete it.
We do not carry out automated decision-making or profiling that produces legal effects concerning you, within the meaning of Article 22 GDPR.
We will update this policy when our processing changes. The version number and date at the top of this page always reflect the current text. Where a change materially affects your rights, we will make that clear rather than quietly amending the page.
Questions about this policy, or about how we handle your data, go to [email protected].
If you have identified a security issue in this website or in the GHOST RED platform, we operate a responsible disclosure programme — please use the same address and we will acknowledge within 24 hours.