This privacy notice tells you what to expect us to do with your personal and technical information.
You can contact our sales team at sales@skysiege.net
Customers can contact us at accounts@skysiege.net
We collect or use the following information to provide services and goods, operation of customer accounts, management of guarantees and legal purposes:
- Names of business and authoritative contacts
- Contact details for the business and authoritative contacts, including email addresses and contact phone numbers
- Addresses, including registered business addresses
We will not share your commercial data with any external party except in the following circumstances:
- UK Law Enforcement (“Competent Bodies” under GDPR Legislation) where a legally valid request for the information has been provided and our business is legally compelled to comply
- An auditing body where legally required to validate SkySiege’s financial data
We do not hold, access or process any payment data. All payment data and transactions are handled by our payments partner Stripe Payments UK Ltd. Additionally, your payment data may be processed by payment intermediaries such as banks and financial institutions.
We are not privy to this information however Stripe’s privacy policy has further information and is available at this location.
Should you not wish to utilise our payments partner we would be happy to provide you with details for a direct transfer. This payment method is likely to delay the start of your services. Please contact us on accounts@skysiege.net to discuss your preferred arrangement.
Our lawful bases for collecting or using personal information to provide services, operation of customer accounts, management of guarantees and legal purpose include:
- Consensual provision of all information
- Contractual requirements
- Provision of the services
We only get information with consent from authoritative parties that represent our business customers
We keep a copy of all receipts, quotes and proof of purchase indefinitely for taxation and book keeping purposes. We consider these documents to be Commercial Documents. This information includes:
- Product Purchased
- Amount charged
- Business Name and provided contact details
- Access Data, if requested to be on the documentation
Under data protection law, you have rights including:
- Your right of access - You have the right to ask us for copies of your personal data.
- Your right to rectification - You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure - You have the right to ask us to erase your personal data in certain circumstances.
- Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal data in certain circumstances.
- Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.
- Your right to data portability - You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
- Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent.
You don’t usually need to pay a fee to exercise your rights. If you make a request, we have one calendar month to respond to you.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
During our work we collect and utilise the following information under the following definitions:
- AWS IAM Role ARN that we assume to access your account
- The AWS Account ID
- Any targeting data such as which AWS Regions or Resources to selectively scan. By default we scan all regions and compatible services
- Various AWS resource specific data that is not Critically Private Data
- A collection of test results inferred from Analysis Data that indicate vulnerabilities in the targeted AWS Account(s)
We keep the above technical information along the following schedules:
Access Data is data that describes the access route to perform scanning on the intended account(s). We consider Access Data to be sensitive but low risk, ie, we will keep Access Data confidential but does not pose a major security concern as the data alone does not allow access nor indicate vulnerabilities. Access Data originates:
- During scoping and initial quotation (AWS Account IDs, Role ARNs, other access data)
- During scanning and testing
We keep access data along the following schedules depending on where it is present:
- We delete any Access Data stored alongside Analysis Data (eg, profiles utilising Role Assumption) 30 days after delivery of the Report
- If Access Data is provided or requested on commercial documents then Access Data will appear on these commercial documents which we permanently retain. For example, if Invoices are requested to contain AWS Account IDs for customer convenience then this data will remain on our permanently stored copies of these Invoices
Analysis Data is data that is generated and inferred during scanning and testing. We consider Analysis Data to be both sensitive and high risk. Analysis Data includes the following
- Generated during Scanning
- Generated by tests built on the scanned data
- The generated Report
- Up to 30 days after the report is submitted to the client
To handle this we perform the following:
- No Analysis Data leaves the SkySiege private networks once it is collected, with the exception of the generated Report which we email as an encrypted attachment
- All Analysis Data is encrypted at rest utilising AES-256 and in transit using TLS v1.3 using AES-128-GCM-SHA256 encryption during scanning
- The Report will be emailed to a designated email address and encrypted with AES-256 ciphers. The password will be separately communicated to a different contact point provided at scoping
- All Analysis Data is permanently deleted after a period of 30 days from report submission
During the 30 days following submission of the Report we retain a copy of the Report and our logs should there be any queries or issues. After 30 days from delivery of the Report we delete all Analysis Data including the generated Report.
We never access, record or analyse critically private data.
During scanning and testing we access resource specific information provided by the AWS APIs. This information contains resource specific technical details that vary depending on the resource. For example, an AWS EC2 Instance (virtual server) includes information such as:
- The ID for the server
- The latest launch time
- The Amazon Machine Image ID that the server was booted from
- Any public IP addresses attached to the instance
- Any IAM Profiles that the instance is utilising
- Any SSH Key IDs that the instance is provisioned with
- Which network subnet the instance operates in
This information is utilised for our scanning and testing to provide the functionality required for providing the services.
By default we have no capacity or functionality that can access the sensitive information in the following list, preventing any access at all to the following information:
- RDS Passwords
- AWS Secrets Manager secret values
- Private information for AWS Certificate Manager resources
- Personal information attached to IAM Roles or Users
- Any code held in AWS CodeCommit repositories
- Any docker image data held in AWS Elastic Container Registry
- Elastic Kubernetes Service Access Credentials
- AWS Lambda Environment Variables
- IAM Access Keys or long lived tokens
- Short lived tokens issued from AWS Secure Token Service with the sole exception of the token(s) issued for our access to perform scanning
Our access to your technical information is wholly controlled by the permissions that you grant when allowing us access. If there are services that you do not wish us to scan you can remove those permissions and disallow access. Our scanner may attempt access and will gracefully fail if permission is denied.
We’re happy to provide guidance on how to achieve this.
