Hut Six Privacy Policy

Purpose

This privacy policy is intended for the users of Hut Six Security’s services and is separate to the privacy policy on the Company’s public website. In this policy, the Company aim to be fully transparent about what data is collected and how it is processed.

Scope

This policy is applicable to all users of the Company’s services. The Company’s services include the Information Security Awareness Campaign and the Phishing Simulator. In the delivery of these services, the Company is the data processor and the Customer Organisation is the data controller.

Terms and definitions

The Company

The Company refers to Hut 6 Security Limited, a company registered in England and Wales. Registered No: 10447061. Registered Office: Wesley Clover Innovation Centre, Coldra Woods, Newport, Wales, NP18 2YB, who are contracted by the Customer Organisation to provide information security software services.

Customer Organisation

Customer Organisation refers to organisations who subscribe to the Company’s information security software services.

Campaign Manager

The main liaison between the Company and the Customer Organisation. This person would have administrative access to the Learning Management System (LMS) and would be the users port-of-call for any enquires regarding Customer Organisation’s use of the service.

Data Handling

User information, namely score and completion of the information security awareness tutorials is collected in order to allow Campaign Managers to monitor and measure user progress. Similarly, user information from the Phishing Simulator is collected to measure user response and phishing awareness. Users who fall for simulated phishing attacks are redirected to on-the-spot training.

Information the Company collect and receive

Account creation information

  • Email address
  • Full name
  • Passwords
  • Group membership
  • Time zone
  • Account preferences

Information Security Awareness Campaign information

  • Attempts at tutorials
  • Answers to questions in tutorials
  • Progress through the curriculum of tutorials
  • User feedback on tutorials

Phishing Simulator information

  • Simulated phishing emails opened
  • Engagement with simulated phishing email by replying, forwarding, deleting, opening attachments or clicking on embedded links to an email
  • Engagement with simulated phishing website by entering form data, click links, downloading files, clicking on images
  • Completion of on-the-spot training
  • Requests for further training

Log information

  • IP Address
  • Browser type
  • Browser settings
  • Information on the webpage viewed before using the services
  • Date and time of use of services
  • Cookie Information

How the Company process user data

Processing required:

  • To deliver the contracted services to the Customer Organisation
  • For security purposes
  • To be able to improve the Company’s services in the future

Account creation information

All users are required to have a user account with the Company. This account creation information will be used to communicate with users about the Company’s services and to set up a user account for both the Information Security Awareness Campaign and the Phishing Simulator Campaign. The email address provided will be used as a target for the Phishing Simulator.

Account preferences are used to remember settings that the user has previously chosen. This includes information such as whether to enable closed captioning on tutorials.

Information Security Awareness Campaign information

The training tutorials are not only to educate personnel in Information Security but also to allow their progress to be tracked by the Campaign Manager. Completeness of training and scores from each tutorial will be saved for this purpose. Scores are calculated for each tutorial; these scores are calculated from the answers users give during the tutorials.

Phishing Simulator campaign information

The Phishing Simulator’s purpose is to increase personnel’s awareness in regards to the threat of phishing attacks and educate them on how to spot such attacks. It allows Campaign Managers to see how users react to receiving a simulated phishing email. This incorporates whether they open or engage with the emails (such as following a link within the email or reply to the email). This information may be recorded along with completeness of the on-the-spot training, so that Campaign Managers can be given progress reports.

If users engage in a way where they fill out a form on a webpage, the information entered will not be submitted or transmitted over the internet and so will not be collected by the Company. Any replies to emails are stored but are not further processed.

Log data

To allow for their services to run smoothly, the Company collects Log Information. The use of Cookies and Google Analytics allows us to collect this information. This data would prove vital in the case of an Information Security incident, as it would allow the Company to identify the incident and mitigate the situation faster.

This information also allows for optimisation of services as it gives the Company an insight into the systems their services are running on, such as browser type and whether users have logged in from a location before.

Data Retention

Data is retained for as long as required to complete our obligations to the Customer Organisation. Log data is retained for up to a year. In cases where there is an ongoing legal or security incident, data may be retained until the incident has been resolved. Information that is no longer needed will be deleted.

Your rights

You have the right to access and rectify the information we hold about you through the Customer Organisation. You also have the right to object to the processing of your information, and the right to lodge a complaint with a supervisory authority. The supervisory authority in the United Kingdom is the Information Commissioner’s Office who can be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.

Sharing and Disclosure

The Company does not currently share any information with third party data controllers, if this changes the Company will notify their customers.

Sub-processors

The Company uses some organisations to provide specific parts of the service that process personal data. These organisations are listed below.

Organisation Purpose Location
Mailgun Technologies, Inc. Mailgun is used to deliver emails to users (excluding simulated phishing emails), this includes activation emails and tutorial reminder emails. United States
Amazon Web Services, Inc. Amazon Web Services provide the infrastructure used to host the Company's services. Ireland
Freshworks, Inc. We use Freshdesk, by Freshworks, to handle support queries. United States
Stripe, Inc. Hut Six uses Stripe to provide payment services. United States

Data Protection

There are measures in place to ensure that the Company handles sensitive data in accordance with the General Data Protection Regulation (GDPR). All data sent and received from the Company’s websites uses TLS 1.2 or above. All passwords will be stored in an unreadable format. To do this, passwords are hashed using industry standard hashing algorithms.

Contact Details

For any queries, please contact support@hutsix.io.

Glossary

GDPR Glossary

General Data Protection Act(GDPR)

The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based.

Data Controller

A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU or Member State law, the controller or the specific criteria for its nomination may be provided for by EU or Member State law.

Data Processor

The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Data Processing

Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Personal Data

Personal data means any information relating to an identified or identifiable natural person (‘data subject’): an identifiable natural person is one who can be identified. Direct or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological genetic, mental, economic, cultural or social identity of the natural persons.

Technical Glossary

Internal Protocol (IP) Address

A way of identifying where data traffic is coming from and where to send it to. Computers on a network have their own internal IP address (comparable to a flat number in a block of flats), however when data is sent outside of the network all computers on the same network share the same external IP address (comparable to the address of the block of flats).

Internet browser type

The software used for browsing the internet and/or viewing a cloud-based service such as that of the Company. A list of supported operating systems and browsers can be found on the Company’s public website under Accessibility Options.

Internet browser settings

This refers to settings that can be personalised within an internet browser. Such as language preferences and add-ons.

Cookies

A small piece of text saved on a computer which allows a website to remember who a user is and information about their preferences.

Google Analytics

Google Analytics is a freemium web analytics service offered by Google that tracks and reports website traffic.

Related Policies

No related polcies.

Policy Revisions

This document will occasionally be updated to reflect changes and feedback. We encourage you to review this policy periodically.

Purpose/Change Date
Added Freshworks as a sub-processor and updated TLS version reference. 2020-03-04
Added sub-processor details. 2018-05-24
Clarified legal basis for processing. Added data retention and contact details sections. Expanded on the user’s rights. Fixed issues with grammar, and glossary definitions. 2018-04-26
Initial Policy 2018-04-16