xorlab Privacy Policy
This Data Privacy Policy (“Policy”) provides an overview of how xorlab AG (“xorlab”, “we”, “our”), via our websites, products and services, handle privacy, and how we protect your Personal Data.
Data and its protection belong to the core of our business. xorlab as well as our employees, contractors and service providers are committed to providing you with transparency and choice when it comes to Personal Data. We thereby define Personal Data as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
We aim to process Personal Data in accordance with applicable legislation, while considering and transparently balancing the relevant interests of our customers, ourselves and other stakeholders.
We invite you to carefully read this Data Privacy Policy, which sets out in which context we are processing your Personal Data and explains your rights and our obligations when doing so. Certain products and services provided by xorlab may have additional specific privacy notices that describe how we handle Personal Data for those products and services. If any other privacy notice conflicts with this Data Privacy Policy, such specific notice will take precedence.
We may update this Data Privacy Policy from time to time. If we modify our Data Privacy Policy, we will post the revised version on this website, with an updated revision date. You agree to visit these pages periodically to be aware of and review any such revisions. If we make material changes to our Data Privacy Policy, we may also notify you by other means prior to the changes taking effect, such as by posting a notice on our websites or sending you a notification. By continuing to use our website or our products and services after such revisions are in effect, you accept and agree to the revisions and to abide by them.
A. What this Data Privacy Policy covers
This Data Privacy Policy describes the following general aspects of our collection and processing of Personal Data concerning you.
- What Personal Data we collect;
- On what grounds and how we process your Personal Data;
- Marketing and Community Networking
- How we protect your Personal Data;
- How we disclose your Personal Data;
- Your privacy rights;
- Contact us.
Please refer to our complementary product and service privacy notices for additional detail specific to those products and services.
B. What Personal Data we collect
a. General
When you visit and use our websites, products and services, we may collect data or ask you to provide certain data, including Personal Data, about you as you use our websites, products and services and interact with us, for the purpose of helping us manage our relationship with you. “Personal Data” is any data relating to an identified or identifiable individual. If we link other data with your Personal Data, we will treat that linked data as Personal Data. We also collect Personal Data from trusted third-party sources and engage third-parties to collect Personal Data to assist us. Personal Data may include:
- Contact details, such as name, mailing address, email address and phone number;
- Shipping and billing data, including credit card and payment data;
- Your transaction history;
- Data you provide to us to receive technical assistance or during customer service interactions;
- Data about your computer or device, including browser type and settings, IP address and traffic data relating to your Internet connection;
- Product performance data and details about how you use our products and services.
We collect Personal Data for a variety of reasons, such as:
We and the third parties we engage may combine the information we collect from you over time and across our websites and Products and Services with information obtained from other sources. This helps us improve its overall accuracy and completeness, and also helps us better tailor our interactions with you.
If you choose to provide xorlab with a third party’s personal information, you represent that you have the third party’s permission to do so.
b. Website
Most of our services provided on our websites do not require any form of registration, allowing you to visit our website without telling us who you are. However, some services may require you to provide us with Personal Data, which may include your direct identifiers, such as name, birth date, email address or telephone number. We may collect and use Personal Data to provide you with products or services, answer your inquiries, to bill you for products and services you request, to market products and services which we think may be of interest to you, or to communicate with you for other purposes which are evident from the circumstances or about which we inform you when we collect Personal Data from you.
We may collect and process information about your visit to our websites, such as the pages you visit, the website you came from and some of the searches you perform. Such information is used by us to help improve the contents of the website and to compile aggregate statistics using our site for internal, market research purposes. In doing this, we may install “cookies” (see further below) that collect the domain name of the user, your internet service provider, your operating system, and the date and time of access.
C. On what grounds and how we process your Personal Data
We may use your Personal Data for the purposes of operating our business, delivering, improving, and customizing our websites, products and services, sending marketing material and other communications related to our business, and for other legitimate purposes permitted by applicable law.
According to EU Regulation 2016/679 (“GDPR”), processing of Personal Data is lawful only if and to the extend specific grounds mentioned in the GDPR apply. Your Personal Data is used on the following grounds:
a. Your consent Article 6 (1) a) GDPR
You can give us your consent to process your Personal Data in order to:
- send you marketing communications and information on new products, services and
- trainings;
- subscribe you to a newsletter, send product updates or technical alerts;
- communicate with you about, and provide you with offers upon your request;
- solicit your opinion or feedback;
- order products.
b. Fulfilling our contracts Article 6 (1) b) GDPR
We may process your data in order to fulfil our contractual obligations with you and third parties, such as:
- delivering a product or service you have requested.
- update you on the status of your orders;
- process your purchase transactions;
- analyzing, supporting, and improving products, services and your online experience.
- create and manage your personalized accounts with xorlab;
- allow your registration of products or services;
- verify your identity and entitlement to products or services, when you access our services;
- provide you with technical and customer support; and
- manage your renewals and subscriptions.
c. Legal obligations Article 6 (1) c) GDPR
xorlab is obligated by law to keep records for accounting and tax reasons, to provide information to other public authorities and to be documented in case of legal proceedings.
d. Legitimate interest (in accordance with Recital 47 of the GDPR)
When delivering our products, services and communications to you as well as to our other customers and partners, we may process Personal Data of you to:
- communicate commercial promotions, updates and upgrades of products and services;
- provide quotes for our products and services;
- research and implement product improvements;
- evaluate and improve the performance and quality of our products, services and websites;
- provide you with a customized experience when you visit our websites;
- allow interoperability within our applications;
- secure our systems and applications;
- allow for the provisioning of services;
- prevent fraud;
- enforce our legal rights; and
- share your data with partners for sales conversions and lead generation
e. Legitimate interest (in accordance with Recitals 39 and 49 and Article 32 of the GDPR)
Some of our products and services support organizations to comply with Recital 39 and Article 32 of the GDPR, ensuring that Personal Data is processed in a manner that ensures appropriate security and confidentiality, including for preventing unauthorized access to or use of Personal Data and the equipment used for processing.
xorlab processes Personal Data for network and information security purposes. Pursuant to Recital
49 of the GDPR, organizations have a recognized legitimate interest in collecting and processing Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security. According to Recital 49, network and information security means the ability of a network or of an information system to resist events, attacks or unlawful or malicious actions that could compromise the availability, authenticity, integrity and confidentiality of stored or transmitted data, or the security of the related services offered by, or accessible via those networks and systems.
xorlab is a provider of cybersecurity technologies and services which may include hosted and managed computer emergency and security incident response services. As described in Article 6(1) f) GDPR, it is in our legitimate interests as well as in our customers’, to collect and process Personal Data to the extent strictly necessary and proportionate for the purposes of ensuring the security of our own, and of our customers’ networks and information systems. This includes the development of threat intelligence resources aimed at maintaining and improving on an ongoing basis the ability of networks and systems to resist unlawful or malicious actions and other harmful events (“cyber-threats”). The Personal Data we process for said purposes includes, without limitation, network traffic data related to cyber-threats such as:
- sender email addresses (e.g., of sources of Spam);
- recipient email addresses (e.g., of victims of targeted email cyberattacks);
- reply-to email addresses (e.g., as configured by cybercriminals sending malicious email);
- filenames and execution paths (e.g., of malicious or otherwise harmful executable files attached to emails);
- URLs and associated page titles (e.g., of web pages broadcasting or hosting malicious or otherwise harmful contents);
- IP addresses (e.g., of web servers and connected devices involved in the generation, distribution, conveyance, hosting, caching or other storage of cyber-threats such as malicious or otherwise harmful contents).
Depending on the context in which such data is collected, it may contain Personal Data concerning you or any other data subjects. However, in such cases, we will process the data concerned only to the extent strictly necessary and proportionate to the purposes of detecting, blocking, reporting (by removing any personally identifiable elements) and mitigating the cyber-threats of concern to you, and to all organizations relying on our products and services to secure their networks and systems. When processing Personal Data in this context, we will not seek to identify a data subject unless strictly indispensable to the remediation of the cyber-threats concerned, or required by law.
D. Marketing and Community Networking
xorlab has a legitimate interest in promoting our commercial offerings and to optimize the delivery of communications to that effect to our customers and audiences that are most likely to find them relevant. We will therefore collect and process data to that end as explained below. However, where we are legally required to obtain your consent to provide you with certain marketing materials, we will only provide you with such marketing materials where we have obtained such consent from you. If you do not want to continue receiving any marketing materials from us, you can click on the unsubscribe function in the communication or e-mail.
a. Cookies
Cookies help to make your visit of our website easier, more enjoyable, and more efficient.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either “persistent” cookies or “session” cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies do not typically contain Personal Data, but Personal Data that we store about you may be linked to the information stored in and obtained from cookies.
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. Browsers regularly allow you to set your browser to notify you when you receive a “cookie”, this will enable you to decide if you want to accept it or not. You may also deactivate Cookies. However, if you do not accept our Cookies, you may not be able to use all functionalities of your browser software.
In addition, you may prevent or stop the installation and storage of cookies by your browser settings by downloading and installing the free Opt-out Browser Add-on available at https://tools.google.com/dlpage/gaoptout?hl=en.
If you do not accept cookies, you may not be able to fully experience all functions of our website.
Microsoft Clarity
This website utilizes Microsoft Clarity, an analytics tool provided by Microsoft Corporation (One Microsoft Way, Redmond, WA 98052-6399, USA; "Microsoft"), which uses cookies to analyze your usage of our website, including your entry to the page, navigation, scrolling, and clicking behavior. Under § 25 para. 1 TTDPA, these cookies are only set after obtaining your express consent. The data generated by these cookies is transmitted to a Microsoft Clarity server (potentially located in the USA) and stored for the purpose of session recording and generating heat maps. We use Microsoft Clarity in its default settings to exclude sensitive input data like names or addresses to avoid direct personal identification.
Microsoft uses this data to evaluate your website usage, compile reports on website activity, and provide us with further services related to website and internet usage, including advertising profiling. Microsoft may also share this data with third parties as required by law or when third parties process data on their behalf. You may choose to refuse the use of cookies by adjusting your browser settings, but please note that this may limit your access to some of the website's features.
For more information on Microsoft Clarity, please visit https://clarity.microsoft.com/. The legal basis for processing your personal data is Art. 6 para. 1 lit. a GDPR.
b. Google Analytics
The use of our digital offerings is measured and evaluated by means of various technical systems,
mainly from third-party providers such as Google Analytics. These measurements can be carried out in an anonymous or personalized form. The collected data may be passed on by us or the third-party providers of such technical systems based in Switzerland and abroad for processing. The most frequently used and the most popular analysis tool is Google Analytics, a service provided by Google Inc. located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, the US (“Google”).
Google Analytics uses Cookies (see above) stored on your computer to help analyze how users use our website. The information generated by Google Analytics about your use of the website (including your IP address) will be transmitted to and stored on a Google server in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for us, and providing other services relating to website activity and Internet usage. Google may also transfer this information to third parties if this is required by law or if third parties process this data on behalf of Google. Google will not associate your IP address with any other data held by Google.
If you do not want your website activity to be available to Google Analytics, you can install the browser add-on to disable Google Analytics that can be found at https://support.google.com/analytics/answer/181881?hl=en. This prevents the JavaScript (ga.js, analytics.js, and dc.js) running on the websites from sharing activity data with Google Analytics.
The analysis of data by other tools of the website owner is not disabled when you use the add-on. Data may still be sent to the website or other web analytics services
c. Newsletter, Email and other forms of correspondence
If you sign up for our newsletter(s), or if you contact us via a contact form or directly by E-Mail, we will store some of your information, including your email address, IP address and certain information about the links you click within the emails we send you. We will not sell your email address or share it with any other party, unless we are legally compelled to do so.
In addition to the purposes described above, we may, in compliance with applicable legal requirements, use your Personal Data to provide you with advertisements, promotions and information about products and services tailored to you and your needs. This may include demographic data or trend data provided by third-parties, where permitted. Contact details, including phone numbers, mail and email addresses, may be used to contact you. If you do not
want us to use your Personal Data in this way, you can simply choose not to consent to such use of your data on the webpages and/or forms through which such Personal Data is collected. You can also exercise this right at any time by contacting us as explained below.
We use Hubspot to generate and distribute our newsletters. Please be referred to Hubspot’s privacy policy at https://legal.hubspot.com/privacy-policy to learn more about their processing of Personal Data.
d. Automated profiling
Where we process network traffic data for the purpose of network and information security based on our or our customers’ legitimate interest as outlined in the corresponding section of this Data Privacy Policy, automated decisions concerning particular data elements may occasionally be made. This could involve in particular assigning relative cybersecurity reputation scores to IP addresses, email addresses and URLs based on objective cyber-threat indicators measured and identified by our products and services. No such processing of data is intended to produce any other effect than protecting you, our customers, xorlab and our partners from cyber-threats. Should you nevertheless consider that such automated processing is unduly affecting you in a significant way, please contact directly the relevant data controller whose use of our products and services is thus impacting you. In case that data controller is xorlab, please refer to the “Your Privacy Rights” and “Contact Us” sections of this Data Privacy Policy to raise your concerns and to seek our help in finding a satisfactory solution.
E. How we protect Personal Data
a. Safeguards
Securing Personal Data is an important aspect of protecting privacy. We take reasonable and appropriate administrative, technical, organizational, and physical security and risk management measures in accordance with market standards and applicable laws to ensure that your Personal Data is adequately protected against accidental or unlawful destruction, manipulation, damage, loss or alteration, unauthorized or unlawful access, disclosure or misuse, and all other unlawful forms of processing of your Personal Data in our possession.
These measures include:
- Physical Safeguards: We lock doors and file cabinets, control access to our facilities, implement a clean desk policy, and apply secure destruction to media containing your Personal Data.
- Technology Safeguards: We use network and information security technologies, and we monitor our systems and data centers to ensure that they comply with our security policies For example, the connection to our servers is established via secure connections and we back up data on a regular basis, encrypt these backups and store them at data centers in Switzerland. Our technology safeguards are continuously adapted and improved in line with technological developments.
- Organizational Safeguards: We conduct regular training and awareness programs on security and privacy, to make sure that our employees and contractors understand the importance of protecting your Personal Data, and that they learn and maintain the necessary knowledge and skills effectively to protect it in practice.
Our security organization applies policies, standards and supporting security controls at the level appropriate to the risk level and the services provided. In addition, appropriate security controls are communicated to application owners and technology teams to support secure development of products and a secure operating environment.
b. Storage / Duration
The data we collect from you may be stored, with risk-appropriate technical and organizational security measures applied to it, on in-house as well as third-party servers in the Switzerland. We will retain your personal information as needed to fulfill the purposes for which it was collected. We will retain and use your personal information as necessary to comply with our business requirements, legal obligations, resolve disputes, protect our assets, and enforce our agreements.
c. Measures upon Personal Data breaches
We take every reasonable measure to prevent Personal Data breaches. When these do occur, we have a process in place to take swift action within our responsibilities. These actions will be consistent with the role we have in relation to the products, services or processes affected by the breach. In all cases, we will work together with affected parties to minimize effects, to make all notifications and disclosures that are required by applicable law or otherwise warranted, and to take action to prevent future breaches.
d. No guarantee
The Internet, however, cannot be guaranteed to be 100% secure, and we cannot ensure or warrant the security of any personal information you provide to us.
F. How we disclose your Personal Data
a. General
We do not sell, lease, rent or give away your Personal Data. We may share your Personal Data with third parties for the purposes of operating our business, delivering, improving, and customizing our solutions, sending marketing and other communications related to our business, and for other legitimate purposes permitted by applicable law or otherwise with your consent.
b. Business Partners
We may provide your Personal Data to our business partners for the purpose of allowing them to conduct business. This may include:
- so that these business partners may share information with you about their products or services;
- to provide a requested product, solution, service or transaction;
- in connection with, or during negotiations of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or to another company.
c. Service Providers Processing Data on Our Behalf
We may use contractors and service providers to process your Personal Data on our behalf for the purposes described in this Statement and the relevant product and service privacy notices accessible below. We contractually require service providers to keep data secure and confidential and we do not allow our data processors to disclose your Personal Data to others without our authorization, or to use it for their own purposes. However, if you have an independent relationship with these service providers their privacy statements will apply to such relationships. Such service providers may include in particular contact centers, payment card processors and marketing/survey/analytics suppliers.
d. Public Authorities
In certain instances, it may be necessary for xorlab to disclose your Personal Data to public authorities or as otherwise required by applicable law. No Personal Data will be disclosed to any public authority except in response to:
- In response to a request for information by a competent authority if we believe disclosure is in accordance with, or is otherwise required by, any applicable law, regulation or legal process;
- With law enforcement officials, government authorities, or other third parties as necessary to comply with legal process; protect the rights, property, or safety of xorlab, its business partners, you, or others; or as otherwise required by applicable law;
- Upon discovery of fraudulent activity or other deceptive practices if we believe a governmental agency should be notified;
- Where such disclosure is necessary for xorlab to enforce its legal rights pursuant to applicable law.
G. Your Privacy Rights
Whenever we process Personal Data, we take reasonable steps to ensure that your Personal Data is kept accurate and up-to date for the purposes for which it was collected. We will provide you with the ability to exercise the following rights under the conditions and within the limits set forth in the law:
- to ask us to provide you with information regarding the Personal Data we process concerning you (Article 15 of the GDPR);
- to rectify, update or complement inaccurate or incomplete Personal Data concerning you (Article 16 of the GDPR);
- to delete or request the erasure of Personal Data concerning you (Article 17 of the GDPR);
- in certain circumstances to obtain of us that we restrict the way in which we process Personal Data concerning you (Article 18 of the GDPR);
- to obtain of us the portability of Personal Data concerning you which we process using automated means on the basis of your consent or of a contract you have entered into with us (Article 20 of the GDPR);
- to object to our processing of Personal Data concerning you on the basis of our, or of third-parties’ legitimate interests (Article 21 of the GDPR);
- in the European Economic Area, to lodge a privacy complaint with a supervisory authority if you are unhappy with the way we have handled your Personal Data or any privacy query or request that you have raised with us (Article 77 of the GDPR).
In addition, you may at any time withdraw any consent you may have given for us to process Personal Data concerning you.
If you believe that your Personal Data was unduly collected or is unduly processed by xorlab for purposes relating to network and information security, please be aware that if it is determined that Personal Data concerning you is processed by xorlab because it is necessary for the detection, blocking or mitigation of convicted cyber-threats, in line with Article 21 (1) GDPR, objection, rectification or erasure requests may be rejected. It is our compelling legitimate interests to protect xorlab and our customers from cyber threats, and therefore our interest may override your objection, rectification or erasure requests until you demonstrate the measures necessary to dissociate your Personal Data from any identified cyber-threat.
Where your exercise of any of the rights above is dependent on xorlab’s action, we will abide by our legal obligation to take reasonable measures to ascertain your identity and the legitimacy of your request and may ask you to disclose to us any information necessary for that purpose. We will respond to legitimate request within 1 (one) calendar month. In certain limited circumstances, we may need to extend our response period as permitted by applicable law. Pursuant to any such requests, we may retain certain data necessary to prevent fraud or future abuse or as otherwise required or permitted by law, including to comply with legal obligations we are subject to, as well as to establish, exercise and defend our legal claims.
Data Protection Officer
If you have any questions about xorlab’s data privacy or use of your personal data, or you want to exercise your privacy rights, contact our data protection officer using the following contact information:
xorlab AG
Data Protection Officer
Binzmühlestrasse 170d
8050 Zürich
Email: data-privacy [at] [our-domain].com