Privacy Policy

Effective as of November 29, 2024, Compass Security Network Computing AG, ("CSNC") and its subsidiaries have updated their Privacy Policy ("Policy").

1 Introduction

This Policy details our commitment to protecting the privacy of individuals who visit our Websites ("Website Visitors"), who register to use the products and services which we market for subscription (available at www.compass-security.com (the "Service(s)", or who attend or register to attend sponsored events or other events at which the CSNC Group participates ("Attendees"). For the purposes of this Policy, the term, "Websites", shall refer collectively to www.compass-security.com as well as the other websites that the CSNC operates and that link to this Policy.

2 Scope of This Policy

In addition to the Websites that link to this Policy, this Policy applies to the following:

  • Compass Security Group Websites: *.compass-security.com
  • The Hacking Lab (*.hacking-lab.com / *.hacking-lab-ctf.com)
  • Filebox Solution: *.filebox-solution.com
  • CSNC group Mobile Applications ("Apps"): HackyEaster / ConFoxy, Filebox Client and other Apps provided by CSNC

In this Policy, personal information means information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity. The use of information collected through our Service shall be limited to the purpose of providing the Service for which the Subscribers has engaged.

Our Websites may contain links to other websites and the information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices.

Account Information (as defined below) and other information we collect in connection with your registration or authentication into our Services (as defined below) is covered by this Policy. The security and privacy practices, including how we protect, collect, and use electronic data, text, messages, communications or other materials submitted to and stored within the Services by You ("Service Data"), are detailed by this Privacy Policy. If a Subscription Agreement, or other applicable agreement/contract between you and any member of the CSNC Group relating to your access to and use of a specific Service (collectively referred to as the "Service Agreement") has been agreed upon, this Service Agreement will overrule this Privacy Policy.

3 Information That You Provide to Us

Account and Registration Information:

We ask for and may collect personal information about you such as your name, address, phone number, email address, gender and birthdate information.

We refer to any information described above as "Account Information" for the purposes of this Policy. By voluntarily providing us with Account Information, you represent that you are the owner of such personal data or otherwise have the requisite consent to provide it to us.

Other Submissions:

We ask for and may collect personal information from you when you submit web forms on our Websites or as you use interactive features of the Websites, including, participation in surveys, contests, promotions, sweepstakes, requesting customer support, appointments, or otherwise communicating with us.

Attendee Information:

We ask for and may collect personal information such as your name, address, phone number and email address when you register for or attend a sponsored event or other events at which any member of the CSNC Group participates.

Mobile Application:

When you download and use our Services, we automatically collect information on the type of device you use, and operating system version. These data is collected by our Apps (in addition to the "Account Information"):

  • Hacky-Easter: Score, Solutions
  • ConFoxy: Photos and comments
  • Filebox Client: File content as exchanged by the FileBox owners and communication partners

4 Information That We Collect from You on our Websites

Cookies and Other Tracking Technologies:

We may use cookies and other information gathering technologies for a variety of purposes. Specifically, cookies are used to collect and analyze information about how you interact with our websites (web analytics), and to recognize and stop any misuse. These technologies may provide us with personal information, information about devices and networks you utilize to access our websites, and other information regarding your interactions with our websites.

On our website, we use persistent tracking and performance cookies by our third-party providers Google Analytics and Usercentrics Cookiebot with the purpose of tracking information about traffic to the Website and how users use the Website. The information gathered via these Cookies may directly or indirectly identify you as an individual visitor. This is because the information collected is typically linked to a pseudonymous identifier associated with the device you use to access the Website. We may also use these Cookies to test new pages, features or new functionality of the Website to see how our users react to them.

On Hacking-Lab we use persistent tracking and performance cookies by our third-party provider Matomo.

Analytics:

We collect analytics information when you use the Websites to help us improve them:

  • Our websites use 3rd party services such as CleanTalk Anti-Spam & Security, Google Analytics, Google Adwords. They can store and process your IP address. Your IP address may be saved in the server log files, CMS log files, CleanTalk Anti-Spam & Security log files, Google Analytics, Google Adwords. CleanTalk can use Cookies to manage access to the website by the CleanTalk SpamFireWall Function, to secure and to protect this website from spam.
  • Hacking-Lab uses Matomo to track and process the following personal data: Cookies, Anonymised IP address, User ID, Dimensions, Variables, Pages visited, browser and device used, mouse movements, anonymised key strokes, and more (As described here https://matomo.org/matomo-cloud/). Once the data is processed (number of visitors reaching a not found pages, viewing only one page…), Matomo is generating reports to take action, for example changing the layout of the pages, publishing some fresh content.
  • Hacking-Lab furthermore uses additional Analytics based on browser fingerprinting technologies for fraud detection. Hacking-Lab stores IP-addresses, nicknames, usage times, browser and operating system properties.

Without the data, we would not be able to provide you the service we are currently offering to you. Your data will be used only to improve the user experience on our website and help you find the information you are looking for.

Logs:

As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when you interact with our Websites and Services. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, identification numbers associated with your devices, your mobile carrier, and system configuration information.

5 Information Collected from Other Sources

Social Media Buttons:

Our Websites provides a link to social media websites like Facebook or Twitter. We do not use Social Media Plugins. Your interactions with these features are governed by the privacy statement of the companies that provide them.

6 How We Use Information That We Collect

General Uses:

We may use the information we collect about you (including personal information, to the extent applicable) for a variety of purposes, including to (a) provide, operate, maintain, improve, and promote the Services; (b) enable you to access and use the Services; (c) process and complete transactions, and send you related information, including purchase confirmations and invoices or job advertisements; (d) send transactional messages, including responses to your comments, questions, and requests; provide customer service and support; and send you technical notices, updates, security alerts, and support and administrative messages; (e) process and deliver contest entries and rewards; (f) monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes; (g) investigate and prevent fraudulent transactions, unauthorized access to the Services, and other illegal activities; and (h) for other purposes for which we obtain your consent.

If we send you promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners, we will ask you for your explicit consent (dual opt-in or similar method) before we will do so. You can opt-out of receiving marketing communications from us by contacting us at privacy@compass-security.com or following the unsubscribe instructions included in our marketing communications.

Legal Basis for Processing:

We collect personal information from you only where: (a) we have your consent to do so, (b) where we need the personal information to perform a contract with you (e.g. to deliver the CSNC Services you have requested), or (c) where the processing is in our or a third party's legitimate interests based on the GDPR. In some cases, we may also have a legal obligation to collect personal information from you.

Where we rely on your consent to process the personal information, you have the right to withdraw or decline your consent at any time. Please note that this does not affect the lawfulness of the processing based on consent before its withdrawal.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our (or a third party’s) legitimate interests which are not already described in this Notice, we will make clear to you at the relevant time what those legitimate interests are.

If you have any questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided further below in Section 16.

7 Sharing of Information Collected

We use third party partners and services to provide our services. With these partners we have contracts in place that require them to use personal data only as necessary to perform services on our behalf and to implement appropriate security measures as required by law.

Hosting Provider: We host some of our webservers at Metanet (Metanet, Josefstrasse 218, CH-8005 Zürich). We use the service "Server Housing". This means, the provider does not have access to personal information stored on our servers.

Web Design: Our websites are designed and developed by CosmoCode GmbH (Prenzlauer Allee 36g, 10405 Berlin), a professional web design company. CosmoCode GmbH helps us create an engaging and user-friendly online experience. They may have access to certain personal data, however, they do not have access to sensitive information like payment details. CosmoCode GmbH is committed to protecting your privacy and handling your data. See https://www.cosmocode.de/en/legal/privacy/

Marketing: Hacking-Lab is working with the marketing agency DACHCOM.CH AG (Communication LSA, Appenzellerstrasse 40, 9424 Rheineck, Switzerland). They may encounter email addresses and full names of potential customers. This is for example the case if the contact form on the Hacking-Lab website is filled out. More Details can be found here: https://www.dachcom.com/de-ch/datenschutz

Public Lab: OST (Ostschweizer Fachhochschule, Oberseestrasse 10, 8640 Rapperswil), a public Swiss university with a strong background in information security is hosting our HL Cyber Range. They are a IaS-Provider operating the Hacking-Lab infrastructure whereas the Hacking-Lab platform itself is operated by Hacking-Lab itself. See https://www.ost.ch/en/systemseiten/privacy-policy

Atlassian: We use products from Atlassian (Atlassian. Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia) to communicate with registered and non-registered users, e.g. Jira Service Management, Jira Work Management, Jira Software, Confluence for support management, project management, issue tracking, BugBounty Services and documentation. In this context, a transfer of data to other countries in which Atlassian offers services (e.g. USA) cannot be excluded. More detailed information on data processing by Atlassian can be found here: https://www.atlassian.com/legal/privacy-policy

CleanTalk: On our Websites we use CleanTalk Anti-Spam & Security (CleanTalk Inc,111 Barclay Blvd, suite 202, Lincolnshire, IL,60069, USA) for security reasons and to protect our websites from spam. If you submit data on our websites, your data will be processed in the CleanTalk Cloud Service. Approved requests will not be saved. Therefore, emails, nicknames and messages will be deleted from approved registrations, comments, orders, contact messages and other submissions. Data from non-approved requests will be stored in log files for 7 days. Compass Security has set the data location to Europe, therefore all your data handled by CleanTalks stays within Europe. Furthermore, there are standard contractual clauses to ensure compliance. You can find further information here: https://cleantalk.org/publicoffer#privacy

Google: On our websites, we are using Google Analytics, a web analytics service offered by Google that tracks and reports website traffic. With your consent, Google Analytics will process and collect your personal data (cookies and IP addresses) to give us valuable information. Google uses the data collected to track and monitor the use of our Service. This data may be shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. Google Analytics will transfer your data to the United States and store it for 6 months. To learn more about Google's data transfer policies, see: https://policies.google.com/privacy/frameworks?hl=en-US. For more information on the privacy practices of Google, please visit the Google Privacy & Terms web page: https://policies.google.com/privacy

Matomo Cloud: Hacking-Lab uses using Matomo Cloud to collect and analyze information about how you interact with our websites (web analytics), and to recognize and stop any misuse. The personal data received through Matomo is sent to our Company and our service provider: InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. Matomo data is hosted in Frankfurt, Germany. All data and backups of Matomo Cloud are securely stored in Europe. This service is GDPR compliant and has entered into a data processing agreement with us, the privacy policy of Matomo Cloud can be found here: https://matomo.org/matomo-cloud-privacy-policy/.

Usercentrics: On our websites we are using Usercentrics GmbH (Sendlinger Straße 7, 80331 Munich, Germany) Cookiebot, a Consent Management Platform (CMP) to achieve cookie compliance with data privacy regulations. Cookiebot is used to inform users about the cookies our websites and we use this platform for consent-based data collection. Upon visiting our websites, your browser may contact servers of Usercentrics and therefore your IP address may be disclosed. Additionally information related to consent may be stored. Usercentrics use the Google Cloud Platform. The servers are located in Germany and Belgium. See more information on: https://www.cookiebot.com/en/privacy-policy/

Newsletter Service: We use the European mail delivery service "Brevo" to send our newsletters. This service is GDPR compliant and has entered into a data processing agreement with us, you can find more information here: https://www.brevo.com/gdpr/. By subscribing to the newsletter, you have to accept Brevo's terms and conditions for processing your data. The use of the newsletter service is independent of this website.

Microsoft: We are using Microsoft 365 Bookings as a scheduling tool for booking and administration of appointments. Information you provide to Bookings enables us to process your request or provide services you request. Bookings only requests information necessary such as full name, e-mail, phone numbers and information about the appointment subject. We also use M365 and other cloud services from Microsoft (Teams, Exchange Online, SharePoint Online, PowerAutomate) to process data and for communication. If you contact us via these communication channels, for example your full name, email address, job title and other information will be transmitted to M365 or the Microsoft cloud. According to our settings and current information from Microsoft, all data is stored on servers in Switzerland. Details of the products and the conditions applicable can be found here: https://www.microsoft.com/licensing/terms/product/ForallSoftware/all. By scheduling an appointment, you accept Microsoft's product and licensing terms as well as the data protection and security terms. You understand that Microsoft terms and conditions are subject to change at any time. The Microsoft Terms of Use and Privacy Policy for protecting data in the Microsoft Cloud can be found here: https://www.microsoft.com/licensing/terms/product/PrivacyandSecurityTerms/all (Microsoft Privacy and Security Terms).

Stripe: Hacking-Lab uses Stripe as an online service provider providing debit and credit card processing as a service. Stripe complies with the Payment Card Industry Data Security Standard (PCI DSS) and uses encryption to protect your payment information. All account information is stored by Stripe. We do not store or have access to your full credit card details. By using our services and entering credit or debit card data, you consent to Stripe's privacy policy and terms of service, which govern how your payment data is processed and stored. See https://stripe.com/privacy

Raiffeisenbank Rapperswil-Jona: CSNC works with Raiffeisenbank Rapperswil-Jona (St. Gallerstrasse 51, 8645 Jona SG, Switzerland) to facilitate the payout. If you are eligible for payment from CSNC within the SEPA zone, Raiffeisenbank Rapperswil-Jona may access surname, first name, address, email, account number and bank details. See https://www.raiffeisen.ch/rch/de/ueber-uns/raiffeisen-gruppe/disclaimer-website.html

Wise: In case you are eligible for payment from Hacking-Lab, such as for bug bounty, outside the SEPA zone, Hacking-Lab may process your payment via payment service provider Wise (Wise Switzerland AG, Talacker 41, 8001 Zurich, Switzerland). The following information may be shared with Wise in such a case: Surname, first name, address, email, account number with bank details. See https://wise.com/gb/legal/global-privacy-policy-en

Calendly: Hacking Lab uses Calendly (Calendly, Inc. 115 E Main St., Ste A1B, Buford, GA 30518, USA) for scheduling. Email, names and other personal information entered may be stored in Calendly's web services. Calendly user and invitee data is hosted in United States data centers provided by Google and Amazon Web Services (AWS). Calendly follows the guidelines for data protection and the rights of data subjects in the EU GDPR. More information: https://calendly.com/legal/privacy-notice

Canvas Credentials: We use Canvas Credentials to issue electronic certificates that you receive from us after successfully completing a course. Canvas Credentials is a service offered by INSTRUCTURE (6330 South 3000 East Suite 700 Salt Lake City, UT 84121 USA). Canvas follows industry-standard security practices to protect your personal data. By using our services and agreeing to receive electronic certificates (badges), you consent to Canvas's privacy policy and terms of service in relation to the management and storage of your certification information. See https://www.instructure.com/policies/privacy-badgr

Compliance with Laws and Law Enforcement Requests; Protection of Our Rights:

In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet law enforcement requirements. We may disclose personal information to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Agreement, or as otherwise required by law.

Community Forums:

The Websites may offer publicly accessible blogs, community forums, comments sections, discussion forums, or other interactive features ("Interactive Areas"). You should be aware that any information that you post in an Interactive Area might be read, collected, and used by others who access it. To request removal of your personal information from an Interactive Area, contact us at privacy@compass-security.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

CSNC Group Sharing:

We may share information, including personal information, with any member of the CSNC Group.

With Your Consent:

We may also share personal information with third parties when we have your consent to do so.

8 International Transfer of Information Collected

CSNC is a Switzerland based, global company. We store personal information about Website Visitors and Subscribers in Switzerland or in a member of the EU or in Canada. To facilitate our global operations, we may transfer and access such personal information from around the world, including from other countries in which the CSNC Group has operations for the purposes described in this Policy.

We may also transfer your personal information to our third party subprocessors as in section 7, who may be located in a different country around the world. However, when personal data is processed in other countries, a similar level of data protection as defined in the GDPR is applied. Compass Security ensures data is only transferred either into countries recognized as appropriate or with EU Standard Contractual Clauses approved by the European Commission or Switzerland apply.

Whenever CSNC shares personal information with a CSNC entity it will do so on the basis of its CSNC Binding Data Protection Rules which establish adequate protection of such personal information and are legally binding on the CSNC Group.

If you are visiting our Websites please note that you are agreeing to the transfer of your personal information to the jurisdictions in which we operate. By providing your personal information, you consent to any transfer and processing in accordance with this Policy.

9 Communications Preferences

We offer those who provide personal contact information a means to choose how we use the information provided. You may manage your receipt of marketing and non-transactional communications by clicking on the "unsubscribe" link located on the bottom of our marketing emails or you may send a request to privacy@compass-security.com.

10 How Long We Retain Your Personal Information

We will retain your personal information for as long as is needed to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements). When we have no ongoing legitimate business need to process your personal information, we will delete it. If this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

11 Your Privacy Rights

The security of your personal information is important to us. We follow the GDPR standards to protect the personal information submitted to us. If you have any questions about the security of your personal information, you can contact us at privacy@compass-security.com.

Upon request we will provide you with information about whether we hold, or process personal information about you. To request this information please contact us privacy@compass-security.com.

In addition, you will have the following rights:

Right of erasure:

You have a right to erasure of personal information that we hold about you – for example, if it is no longer necessary in relation to the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.

Right to object to processing:

You have the right to request that CSNC stop processing your personal information and/or to stop sending you marketing communications.

Right to restrict processing:

You have the right to request that we restrict processing of your personal information in certain circumstances (for example, where you believe that the personal information we hold about you is inaccurate or unlawfully held).

Right to data portability:

In certain circumstances, you may have the right to be provided with your personal information in a commonly used format and to request that we transfer the personal information to another data controller without hindrance.

To make a request to have personal information maintained by us returned to you or removed, please email us. Requests to access, change, or remove your information will be handled within thirty (30) days.

If you would like to exercise such rights, please contact us at the contact details in Section 16 below. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.

You also have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

12 Children's Personal Information

We do not knowingly collect any personal information from children. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Policy by instructing their children never to provide personal information through the Websites or Services without their permission. If you have reason to believe that a child under the age of 14 has provided personal information to us through the Websites or Services, please contact us at privacy@compass-security.com and we will use commercially reasonable efforts to delete that information.

13 Business Transactions

We may assign or transfer this Policy, as well as your account and related information and data, including any personal information, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.

14 Supplemental Terms and Conditions for Certain Regions

Canada:

Personal information (as the term is defined in the Personal Information Protection and Electronic Documents Act of Canada ("PIPEDA")) will be collected, stored, used and/or processed by the CSNC Group in compliance with the CSNC Group's obligations under PIPEDA.

15 Changes To This Policy

If there are any material changes to this Policy, you will be notified by our posting of a prominent notice on the Websites prior to the change becoming effective. Based on the severity and impact on your personal rights, your consent might be required for certain changes. In this case, we will notify you and ask for your consent.

In cases of minor changes which do not have an impact on your privacy, we will announce the changes on the websites. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of the Websites or the Services constitutes your agreement to be bound by such changes to this Policy. Your only remedy, if you do not accept the terms of this Policy, is to discontinue use of the Websites and the Services.

16 Contact Us

If you have questions regarding this Policy or about the CSNC Group's privacy practices, please contact us by email at privacy@compass-security.com, or at:

Compass Security Network Computing AG

Werkstrasse 20

CH-8645 Jona

privacy@compass-security.com

Phone: +41 58 510 36 00

17 Choice of Law/Forum Selection

This Privacy Policy shall be subject to and construed in accordance with Swiss law.

The exclusive place of jurisdiction for disputes arising from the Use of Terms is Rapperswil-Jona, Canton of St Gallen (Switzerland).

English Version Controls

English translations of this Policy are provided for convenience only. In the event of any ambiguity or conflict between translations, the German version is authoritative.