1. Introduction

This Privacy Policy applies to the Virtual CISO services provided by Peak Defence (“Services”). It explains how we handle data in the course of providing these Services.

2. Data Processing and Personal Data

The Services are designed not to process personal data. There is no expectation or requirement for users to upload personal data into the product and this would contradict the Terms of service.

3. Data Hosting and Processing

The Services are hosted on AWS infrastructure located within the European Union (EU) - or in other regions if specifically contracted with customers. AWS acts as a data processor on behalf of Peak Defence. Langfuse is another data processor used for the hosted service (for deployments under Starter package, starting from Scaleup and Enterprise packages a different deployment model can be negotiated), under strict data protection agreements - they receive the queries data made against the service and responses to the queries, but not the original data / documents used to create answers. Users have the option to run a local version of the Services on AWS, or for Enterprise versions, a hosted version where no data leaves the customer’s premises.

4. Data Security

Peak Defence implements robust security measures to protect data integrity and prevent unauthorized access. In order to protect the data Peak Defence is using an information security management system built on top of ISO/IEC 27001:2022 standard requirements.

5. Data Retention

Data is retained only as long as necessary for providing the Services and in compliance with applicable legal requirements. Overall Data retention is up to 30 days for the following data: Backups of data to enable proper recovery of data in cases of disasters (backups kept for up to 90 days) Logging to ensure security of solution (logs kept for up to 90 days) # 6. Your Rights Since the Services do not process personal data, traditional rights under data protection laws, such as access, rectification, or deletion of personal data, may not be applicable.

9. Cookies and Consent Management

Peak Defence uses cookies and similar technologies to enhance your experience, analyze site usage, and deliver personalized ads. We respect your privacy and comply with regulations by allowing you to manage your cookie preferences at any time.

Types of Cookies We Use

• Strictly Necessary: Required for basic site functionality. Always enabled.
• Analytics: Help us understand how visitors interact with our site (e.g., Google Analytics).
• Marketing/Ads: Used to deliver personalized advertising (e.g., Google Ads).

How We Collect and Use Consent

• On your first visit, you will see a banner asking for your cookie preferences. You can accept all, reject non-essential, or customize your choices.
• Your choices are stored in your browser’s local storage and are applied to Google services using Google Consent Mode.
• No analytics or marketing cookies are loaded until you provide explicit consent.
• You can change your preferences at any time by clicking the “Cookie Preferences” button on the site.

Consent Logging

• Your consent choices are stored locally in your browser. For audit and compliance purposes, we may also log your consent decision (including timestamp and browser info) to our secure backend.

Your Rights

• You can withdraw or change your consent at any time.
• For more information or to exercise your rights, please contact our Data Protection Officer at privacy@peakdefence.com.

For full details on cookies, see our Cookie Policy.

10. Changes to This Policy

Peak Defence reserves the right to modify this Privacy Policy at any time. Any changes will be posted on our website and effective immediately.

11. Contact Information

For any questions regarding this Privacy Policy, please contact Peak Defence at csupport[at]peakdefence.com.