Hut Six Privacy Policy
Purpose
This privacy policy is intended for the users of Hut Six Security’s services and is separate to the privacy policy on the Company’s public website. In this policy, the Company aim to be fully transparent about what data is collected and how it is processed.
Scope
This policy is applicable to all users of the Company’s services. The Company’s services include the Information Security Awareness Campaign and the Phishing Simulator. In the delivery of these services, the Company is the data processor and the Customer Organisation is the data controller.
Terms and definitions
The Company
The Company refers to Hut 6 Security Limited, a company registered in England and Wales. Registered No: 10447061. Registered Office: Platfform, 11 Devon Pl, Newport, Wales, NP20 4NW, who are contracted by the Customer Organisation to provide information security software services.
Customer Organisation
Customer Organisation refers to organisations who subscribe to the Company’s information security software services.
Campaign Manager
The main liaison between the Company and the Customer Organisation. This person would have administrative access to the Learning Management System (LMS) and would be the users port-of-call for any enquires regarding Customer Organisation’s use of the service.
Data Handling
User information, namely score and completion of the information security awareness tutorials is collected in order to allow Campaign Managers to monitor and measure user progress. Similarly, user information from the Phishing Simulator is collected to measure user response and phishing awareness. Users who fall for simulated phishing attacks are redirected to on-the-spot training.
Information the Company collect and receive
Account creation information
- Email address
- Full name
- Passwords
- Group membership
- Time zone
- Account preferences
Information Security Awareness Campaign information
- Attempts at tutorials
- Answers to questions in tutorials
- Progress through the curriculum of tutorials
- User feedback on tutorials
Phishing Simulator information
- Simulated phishing emails opened
- Engagement with simulated phishing email by replying, forwarding, deleting, opening attachments or clicking on embedded links to an email
- Engagement with simulated phishing website by entering form data, click links, downloading files, clicking on images
- Completion of on-the-spot training
- Requests for further training
Log information
- IP Address
- Browser type
- Browser settings
- Information on the webpage viewed before using the services
- Date and time of use of services
- Cookie Information
How the Company process user data
Processing required:
- To deliver the contracted services to the Customer Organisation
- For security purposes
- To be able to improve the Company’s services in the future
Account creation information
All users are required to have a user account with the Company. This account creation information will be used to communicate with users about the Company’s services and to set up a user account for both the Information Security Awareness Campaign and the Phishing Simulator Campaign. The email address provided will be used as a target for the Phishing Simulator.
Account preferences are used to remember settings that the user has previously chosen. This includes information such as whether to enable closed captioning on tutorials.
Information Security Awareness Campaign information
The training tutorials are not only to educate personnel in Information Security but also to allow their progress to be tracked by the Campaign Manager. Completeness of training and scores from each tutorial will be saved for this purpose. Scores are calculated for each tutorial; these scores are calculated from the answers users give during the tutorials.
Phishing Simulator campaign information
The Phishing Simulator’s purpose is to increase personnel’s awareness in regards to the threat of phishing attacks and educate them on how to spot such attacks.
It allows Campaign Managers to see how users react to receiving a simulated phishing email. This incorporates whether they open or engage with the emails (such as following a link within
the email or reply to the email). This information may be recorded along with completeness of the on-the-spot training, so that Campaign Managers can be given progress reports.
If users engage in a way where they fill out a form on a webpage, the information entered will not be submitted or transmitted over the internet and so will not be collected by the Company.
Any replies to emails are stored but are not further processed.
Log data
To allow for their services to run smoothly, the Company collects Log Information. The use of Cookies and Google Analytics allows us to collect this information. This data would prove
vital in the case of an Information Security incident, as it would allow the Company to identify the incident and mitigate the situation faster.
This information also allows for optimisation of services as it gives the Company an insight into the systems their services are running on, such as browser type and whether users have logged in from a location before.
Data Retention
Data is retained for as long as required to complete our obligations to the Customer Organisation. Log data is retained for up to a year. In cases where there is an ongoing legal or security incident, data may be retained until the incident has been resolved. Information that is no longer needed will be deleted.
Your rights
You have the right to access and rectify the information we hold about you through the Customer Organisation. You also have the right to object to the processing of your information, and the right to lodge a complaint with a supervisory authority. The supervisory authority in the United Kingdom is the Information Commissioner’s Office who can be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
EU Representative
We have appointed IT Governance Europe Limited to act as our EU Representative If you wish to exercise your rights under the EU General Data Protection Regulation (GDPR), or have any queries in relation to your rights or privacy matters generally please email our Representative at eurep@itgovernance.eu or post your request or query to: EU Representative, IT Governance Europe, Third Floor, The Boyne Tower, Bull Ring, Lagavooren, Drogheda, Co. Louth, A92 F682.
When contacting our Representative please ensure you include our company name in any correspondence.
Sharing and Disclosure
The Company does not currently share any information with third party data controllers, if this changes the Company will notify their customers.
Sub-processors
The Company uses some organisations to provide specific parts of the service that process personal data. These organisations are listed below.
| Organisation | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Amazon Web Services provide the infrastructure used to host the Company's services. | Ireland |
| Freshworks, Inc. | We use Freshdesk, by Freshworks, to handle support queries. | United States |
| Stripe, Inc. | Hut Six uses Stripe to provide payment services. | United States |
Data Protection
There are measures in place to ensure that the Company handles sensitive data in accordance with the UK GDPR and the EU GDPR. All data sent and received from the Company’s websites uses TLS 1.2 or above. All passwords will be stored in an unreadable format. To do this, passwords are hashed using industry standard hashing algorithms.
Contact Details
For any queries, please contact support@hutsix.io.
Glossary
GDPR Glossary
EU GDPR
The EU GDPR (General Data Protection Regulation) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). The EU GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue based.
UK GDPR
The UK GDPR is the UK's data processing legislation following it's exit from the European Union.
Specifically, it refers to the Data Protection Act 2018 as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
Data Controller
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor
The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Processing
Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
Personal Data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’): an identifiable natural person is one who can be identified. Direct or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological genetic, mental, economic, cultural or social identity of the natural persons.
Technical Glossary
Internal Protocol (IP) Address
A way of identifying where data traffic is coming from and where to send it to. Computers on a network have their own internal IP address (comparable to a flat number in a block of flats), however when data is sent outside of the network all computers on the same network share the same external IP address (comparable to the address of the block of flats).
Internet browser type
The software used for browsing the internet and/or viewing a cloud-based service such as that of the Company. A list of supported operating systems and browsers can be found on the Company’s public website under Accessibility Options.
Internet browser settings
This refers to settings that can be personalised within an internet browser. Such as language preferences and add-ons.
Cookies
A small piece of text saved on a computer which allows a website to remember who a user is and information about their preferences.
Google Analytics
Google Analytics is a freemium web analytics service offered by Google that tracks and reports website traffic.
Related Policies
No related policies.
Policy Revisions
This document will occasionally be updated to reflect changes and feedback. We encourage you to review this policy periodically.
| Purpose/Change | Date |
| Updated definitions to reflect the end of UK-EU transition period. | 2020-01-18 |
| Addition of an EU representative. | 2020-12-31 |
| Removal of Mailgun as a sub-processor. | 2020-12-17 |
| Added Freshworks as a sub-processor and updated TLS version reference. | 2020-03-04 |
| Added sub-processor details. | 2018-05-24 |
| Clarified legal basis for processing. Added data retention and contact details sections. Expanded on the user’s rights. Fixed issues with grammar, and glossary definitions. | 2018-04-26 |
| Initial Policy | 2018-04-16 |
