Privacy Policy

Cyful365 is a security application provided by Cykube Ltd, a company registered in England and Wales (company number 11681033) (“we”, “us”, “our”). Cykube Ltd is the data controller for personal data processed in connection with Cyful365, except where we act as a processor on behalf of an organisation that has deployed Cyful365 (in which case that organisation is the controller and its own privacy notice applies).

This policy explains, in plain terms, what information Cyful365 processes, why, and the choices and rights you have. It is written to meet the requirements of the Microsoft commercial marketplace and applicable data-protection law, including the UK GDPR and the EU GDPR.

Cyful365 is installed by an organisation into its own Microsoft 365 environment. It is intended for use by businesses and their authorised users — it is not directed at children. This policy covers the Cyful365 application and the public Cyful365 website. It does not cover Microsoft’s own services, which are governed by Microsoft’s privacy terms.

To provide the service, Cyful365 processes the following categories of information:

• Account and access information — the identifiers and authorisation tokens needed to connect to your organisation’s Microsoft 365 environment, and to authenticate authorised users.
• Security-relevant data from your Microsoft 365 environment — the security signals and related information made available by your environment that the service needs in order to perform its function. We access only what is necessary to deliver the service.
• Service-generated output — the summaries, assessments and reports the service produces for you.
• Usage and diagnostic data — limited technical logs (such as event timestamps and error information) used to operate, secure and improve the service.
• Contact information — details you provide when you contact us, request support, or sign up for updates.

We do not seek to collect the content of your business documents, emails or files beyond the security-relevant information described above, and we do not use your data to build profiles of individuals for advertising.

We use the information above to:

• provide, operate and maintain the service for your organisation;
• authenticate access and keep the service secure;
• generate the summaries, assessments and reports that are the purpose of the service;
• diagnose problems, provide support, and improve reliability and performance;
• comply with our legal obligations.

Our lawful bases for processing (where the UK/EU GDPR applies) are performance of a contract, our legitimate interests in operating and securing the service, and compliance with legal obligations. Where we act as a processor, we process data only on the documented instructions of the controlling organisation.

The service is designed to access the minimum information necessary and to process it for the sole purpose of delivering the service to your organisation. We apply technical and organisational measures — including access controls, encryption in transit, and restricted, role-based access — to protect information. We do not sell personal data, and we do not share it for third-party marketing.

We use a limited number of trusted service providers (for example, cloud hosting and infrastructure providers) to operate the service. These providers act on our behalf under contract, are bound to appropriate confidentiality and security obligations, and may process data only as needed to provide their services to us. A current list of sub-processors is available on request via contact@cyful.net.

We aim to process data within the UK and/or the European Economic Area. Where data is transferred outside these areas, we put in place an appropriate safeguard recognised under applicable law (such as adequacy regulations or standard contractual clauses) so that your information continues to be protected.

We keep information only for as long as necessary for the purposes described in this policy, to provide the service to your organisation, and to meet legal, accounting or reporting requirements. When data is no longer required, we delete or anonymise it. Where we act as a processor, retention is governed by our agreement with the controlling organisation, and we return or delete data on termination as instructed.

Subject to applicable law, you may have the right to access, correct, delete, or restrict the processing of your personal data, to object to processing, and to data portability. If our processing relies on consent, you may withdraw it at any time.

If Cyful365 was provided to you through your employer or another organisation, that organisation controls your data and you should direct requests to them in the first instance; we will support them in responding. Otherwise, contact us at contact@cyful.net. You also have the right to complain to a data-protection regulator — in the UK, the Information Commissioner’s Office (ico.org.uk).

We take the security of your information seriously and maintain administrative, technical and physical safeguards appropriate to the nature of the data. No method of transmission or storage is completely secure, but we work to protect your information and to respond appropriately to any security incident in line with our legal obligations.

We may update this policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, provide additional notice. Continued use of the service after an update constitutes acceptance of the revised policy.

For any privacy question or request, contact Cykube Ltd at contact@cyful.net.