Customer Privacy notice

Who we are and what this notice covers

We’re ISO Serious, a company helping startups and scaleups boost their security and compliance through expert consultancy and penetration testing (pentesting). This privacy notice explains how we handle your personal data when we deliver these services as part of our work together.

We act as an independent controller under UK GDPR, meaning we decide how and why we process your data to deliver our expert services. For our general privacy practices (e.g., marketing or website use), see our main privacy notice at isoserious.com/privacy-notice.

What data we collect and why

When we work together on consultancy or pentesting, we collect only what we need to get the job done. Here’s the breakdown:

  • Contact and Contract Details: Names, email addresses, phone numbers, and job titles of your team members we interact with (e.g., project leads, IT staff). We use this to manage our engagement, schedule meetings, deliver reports, and keep you updated. We rely on legitimate interests (delivering our professional services and running our business smoothly) to process this data.

  • Company and Contextual Data: Information about your business, systems, or processes (e.g., org charts, IT infrastructure details, or employee roles) to scope our consultancy or pentesting. This may include personal data like employee names or access logs if shared during assessments or tests. We process this to provide tailored advice or simulate attacks, relying on legitimate interests (providing expert security and compliance services).

  • Pentesting-Specific Data: For pentesting, we may access or process personal data in your systems (e.g., user credentials, email content, or customer data) to identify vulnerabilities. We only process what’s strictly necessary, securely and under your authorisation, to deliver test results. We rely on legitimate interests (delivering authorised pentesting services) to process this data.

  • Engagement Records: Notes, reports, or correspondence from our work (e.g., assessment findings, pentest reports, or recommendations). These may include personal data if relevant to our deliverables. We keep this to document our work and support our services, using legitimate interests (maintaining accurate records and improving our offerings).

How we use and store your data

  • Consultancy: We use your data to conduct assessments, audits, or training, and to draft policies or recommendations. This might involve reviewing access logs or employee data to evaluate security or processes.

  • Pentesting: We simulate attacks on your systems (e.g., networks, apps, or cloud environments) to spot weaknesses. Any personal data accessed is handled securely, used only for testing, and deleted or anonymised once the report is delivered, unless you instruct otherwise.

  • Storage: We store data securely on industry-standard email platforms, cloud storage, and scheduling tools. Pentest data is encrypted and stored separately with restricted access, using robust security measures. We retain consultancy data for up to 2 years after our engagement ends, unless legal or contractual needs (e.g., dispute resolution or professional indemnity) require longer retention. After that, it’s securely deleted.

  • Sharing: We don’t share your data with third parties unless it’s part of our service (e.g., using providers for email, storage, or scheduling). Some providers are in the USA, but we’ve got safeguards like Standard Contractual Clauses, International Data Transfer Agreements, or the EU-US Data Bridge (which the UK uses) to keep your data safe.

Cookies

No change from our main notice: we only use functional cookies to make our website work. No trackers, no fuss. If you spot a rogue cookie, email us at hello@isoserious.com.

Your rights

Under UK GDPR, you’ve got rights over your personal data. You can:

  • Access what we hold about you.

  • Correct inaccurate data if you can show it’s wrong.

  • Ask us to erase data we don’t need or use without a legitimate purpose.

  • Get a machine-readable copy of data processed under contract or consent (usually just your contact details).

  • Ask us to stop processing data we don’t need for legal or contractual reasons.

  • Prevent fully automated decisions. We don’t do these, so no need to worry.

Reach out to support@isoserious.com to exercise these rights.

Contacting us

Got questions? Email us at support@isoserious.com.

Complaints

If something’s off, talk to us first - we’ll do out best to sort it out. If you’re still not happy, you can reach the ICO at www.ico.org.uk.

Updates

We might tweak this notice if our services or laws change. If it affects our work together, we’ll let you know.

Fin.

Last updated 14/05/25