1. Introduction

CSFaaS is committed to protecting your privacy and ensuring the security of the data processed through our platform. This Privacy Policy explains how we collect, use, store, protect, and disclose (or refrain from disclosing) your data when you access or use our services ("Service").

The Service is provided by Dark Protect Limited, a company registered under the laws of Malta, with its principal place of business at Level 5, St. Julians Business Centre, Elija Zammit Street, St. Julians, STJ3153, Malta, and registered with the Registrar of Companies (Malta) under number C108959.

For the purposes of this Policy, "CSFaaS" refers to Dark Protect Limited operating under the CSFaaS brand, and may be used interchangeably with "we," "us," or "our" throughout this document.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with the practices described herein, you should not use the Service.

2. Data Collection

We collect the following categories of data to provide, secure, and improve the CSFaaS platform:

Account Information: Information provided during registration or account management, including your name, email address, company name, business contact details, and login credentials.

Usage Data: Data generated through your interaction with the Service, such as configuration settings, audit logs, user actions, system preferences, and cybersecurity risk assessment inputs.

Sensitive and Submitted Data: Any personal, sensitive, confidential, or proprietary corporate data that you or your users voluntarily submit to the platform while using the Service for cybersecurity monitoring, compliance, or analysis purposes.

Note: While CSFaaS does not intentionally collect GDPR-defined "special categories of personal data," such data may be processed if submitted by you as part of the Service.

Technical and Device Data: Data automatically collected from your device or browser when you access the platform, including your IP address, browser type and version, operating system, device identifiers, language settings, and referral URLs.

3. Purpose of Data Processing

We process personal and corporate data for the following purposes, in accordance with applicable data protection laws and based on one or more legal bases, including contractual necessity, legitimate interest, and legal obligation:

To deliver and operate the Service: This includes account setup, authentication, access management, and service provisioning.

To maintain and improve the Service: Including feature development, performance optimization, bug fixes, and technical support.

To support cybersecurity risk management: Including data analysis, risk scoring, vulnerability monitoring, and compliance reporting tools.

To communicate with you: Such as service updates, security alerts, administrative messages, and user support.

To ensure platform security and prevent misuse: Including fraud prevention, unauthorized access monitoring, incident response, and abuse detection.

To comply with legal and regulatory obligations: Including data retention requirements, audit readiness, anti-money laundering (AML) compliance, tax obligations, and lawful requests from competent authorities.

4. Data Hosting and Geographic Restrictions

All customer data is hosted exclusively within the European Union (EU). CSFaaS utilizes secure, high-availability data centers located within the EU and ensures that all processing activities comply with the stringent privacy and security standards set forth under the General Data Protection Regulation (GDPR).

We do not transfer your data outside of the European Economic Area (EEA) unless such a transfer is (a) required by law or a binding regulatory obligation, and (b) safeguarded in accordance with Chapter V of the GDPR through mechanisms such as an adequacy decision by the European Commission, the use of Standard Contractual Clauses (SCCs) approved by the Commission, or other legally recognized instruments that ensure an equivalent level of data protection.

By ensuring data localization within the EU and controlling cross-border data flows, we maintain a high level of trust, data sovereignty, and regulatory compliance.

5. Data Retention and Deletion

5.1. Retention Period We retain personal and corporate data only for as long as necessary to deliver the Service, fulfill contractual obligations, and comply with applicable legal or regulatory requirements. Backup archives are securely maintained for a period of one (1) year to support disaster recovery and business continuity operations.

5.2. Deletion Requests You may request the deletion of specific personal or corporate data at any time. Upon receipt of such a request, CSFaaS will delete the identified data from active systems and prevent further processing. Data residing in backup archives will remain inaccessible and will be securely purged after the one-year retention period, in accordance with our internal data retention policies and applicable laws.

5.3. Account Termination Upon termination of your account, either by you or by CSFaaS, your data will be either permanently deleted or irreversibly anonymized, in accordance with applicable data protection laws and retention obligations.

6. User Rights and Data Access

In accordance with the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

Right of Access: You have the right to request confirmation of whether we process your personal data and, if so, to access that data and obtain a copy.

Right to Rectification: You have the right to request the correction of inaccurate or incomplete personal data concerning you.

Right to Erasure ("Right to be Forgotten"): You may request the deletion of your personal data, subject to our legal obligations or overriding legitimate interests (e.g., fraud prevention, regulatory compliance).

Right to Restrict Processing: You may request the restriction of processing where you contest the accuracy of the data, object to the processing, or believe the processing is unlawful and you oppose erasure.

Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you may request that we provide your data in a structured, commonly used, and machine-readable format for transmission to another controller.

Right to Object: You may object, on grounds relating to your particular situation, to the processing of your personal data where the legal basis is our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds to continue.

To exercise any of the above rights, please contact our Data Protection Team at legal@csfaas.com. We may require verification of your identity before processing your request. We will respond within the timeframes prescribed by applicable law, typically within one (1) month.

7. Data Sharing and Disclosure

CSFaaS does not sell or rent your personal or corporate data to third parties for direct marketing purposes.

However, we may use aggregated, anonymized, or statistical data derived from customer usage patterns to help third parties understand business trends, customer segments, or market insights. This information may be used to support audience-based advertising, business intelligence, or industry benchmarking, but it does not contain any data that identifies you or your organization personally.

We may also disclose your data under the following specific circumstances:

To Authorized Service Providers: We work with carefully selected third-party vendors who support the operation and delivery of our Service (e.g., hosting, analytics, monitoring). These providers act under our instructions and are contractually obligated to protect your data.

As Required by Law: We may disclose your data to comply with legal obligations, regulatory inquiries, court orders, or lawful requests from government authorities.

In Connection with Business Transfers: If CSFaaS is involved in a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the acquiring entity, subject to appropriate confidentiality and data protection obligations.

To Protect Rights and Safety: We may disclose data when necessary to enforce our Terms of Use, investigate potential violations or security incidents, or protect the rights, property, or safety of CSFaaS, our users, or others.

8. Incident Response and Breach Notification

CSFaaS takes the security of your data seriously and is committed to responding promptly to any suspected or confirmed data breaches.

In the event of a security incident, CSFaaS will make reasonable efforts to contain and investigate the issue and to comply with applicable legal requirements. If it is determined that a breach has occurred that may impact your data, CSFaaS will notify affected users as soon as practicable, providing relevant information about the nature of the incident and the actions being taken in response.

The relevant data protection authority will be informed if the incident meets the applicable legal thresholds for reporting.

9. Ongoing Security and Compliance Efforts

CSFaaS is committed to the continuous improvement of its security posture and information governance practices. We are actively working toward ISO/IEC 27001 compliance, an internationally recognized standard for information security management systems (ISMS).

Our ongoing efforts include regular risk assessments, internal security reviews, and incremental enhancements to our technical and organizational controls. These efforts are designed to strengthen the confidentiality, integrity, and availability of the data we process.

While we do not publicly disclose detailed elements of our security architecture for operational security reasons, please be assured that we follow recognized industry best practices and are continually updating our infrastructure, procedures, and policies to help protect your data against evolving threats.

10. Liability and Disclaimers

CSFaaS shall not be held responsible for any unauthorized access to data resulting from circumstances beyond our reasonable control, including but not limited to acts of third parties, force majeure events, or failures in external infrastructure.

To the maximum extent permitted by law, CSFaaS disclaims all liability for indirect, incidental, special, or consequential damages arising from or related to your use of the Service, including but not limited to loss of profits, business interruption, loss of data, or reputational harm.

You acknowledge that, despite the implementation of robust technical and organizational security measures, no system can be guaranteed to be completely secure. Accordingly, you agree that CSFaaS's liability, if any, shall be strictly limited in accordance with the provisions set out in our Terms of Use.

11. Updates to the Privacy Policy

We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal obligations, or the functionality of the Service. If we make material changes, we will provide notice by updating the version on our website and, where appropriate, by notifying you via email or through the Service interface.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service following the publication of any updates constitutes your acceptance of the revised Privacy Policy.

12. Contact Information

For any questions, concerns, or requests related to this Privacy Policy or the processing of your data, please contact our Data Protection Team: CSFaaS Data Protection Team Email: legal@csfaas.com Address: Level 5, St. Julians Business Centre, Elija Zammit Street, St. Julians, STJ3153, Malta.