Privacy Policy
Version 2.0 — Effective Date: 1 March 2026
This Privacy Policy is issued pursuant to the Personal Data Protection Law of the Kingdom of Saudi Arabia (PDPL, Royal Decree No. M/19, 1443H) and its implementing regulations. It describes how CISO Consulting ("Controller", "we", "us") collects, processes, stores, and protects personal data when you use the CyberPulse KSA platform.
1. Data Controller Identity
Controller: CISO Consulting
Registered Location: Riyadh, Kingdom of Saudi Arabia
Data Protection Officer (DPO): dpo@ciso.sa
Privacy Inquiries: privacy@ciso.sa
CISO Consulting acts as the data controller for all personal data collected through the Platform. Where third-party service providers process data on our behalf, they act as data processors under binding contractual arrangements consistent with PDPL requirements.
2. Categories of Personal Data Collected
Identity and Contact Data: Full name, email address, phone number, job title, and organization name provided during registration or profile completion.
Professional Data: Industry sector, company size, regulatory compliance status, and cybersecurity assessment responses submitted through Platform tools.
Technical and Usage Data: IP address, browser type and version, operating system, device identifiers, session data, pages visited, features used, and time spent on the Platform.
Communication Data: Content of messages sent through the Platform, support requests, and chatbot interaction logs (anonymized after 90 days).
Derived Data: Compliance readiness scores, risk ratings, and intelligence profiles generated by Platform analytics based on your inputs and usage patterns.
3. Legal Basis for Processing
We process your personal data on the following legal bases under the PDPL:
(a) Contractual Necessity: Processing required to fulfill our obligations under these Terms of Service and deliver Platform services;
(b) Legitimate Interest: Processing for security monitoring, fraud prevention, platform improvement, and professional service delivery, balanced against your rights;
(c) Consent: Marketing communications, newsletters, and optional platform features where you have provided explicit consent, which you may withdraw at any time;
(d) Legal Obligation: Processing required by applicable Saudi law, regulatory orders, or court directives.
4. Purposes of Processing
We use your personal data to: (a) create and manage your user account; (b) provide and operate Platform services including compliance assessments, threat intelligence, and community features; (c) authenticate your identity and secure your account; (d) send transactional communications including OTPs, security alerts, and service notifications; (e) send marketing communications where you have provided consent; (f) analyze usage patterns to improve Platform performance and relevance; (g) comply with our legal and regulatory obligations; (h) investigate and respond to security incidents, fraud, or abuse; (i) generate anonymized and aggregated statistical reports for product improvement.
5. Your Rights Under the PDPL
As a data subject under the Saudi Personal Data Protection Law, you have the following rights:
Right of Access: Request a copy of your personal data we hold and information about how it is processed.
Right of Correction: Request correction of inaccurate or incomplete personal data.
Right of Deletion: Request deletion of your personal data where processing is no longer necessary or lawful, subject to legal retention obligations.
Right to Withdraw Consent: Withdraw consent to any processing based on consent, without affecting the lawfulness of prior processing.
Right of Data Portability: Request your personal data in a structured, commonly used, machine-readable format.
Right to Object: Object to processing based on legitimate interest where your fundamental rights override our interests.
Right to Lodge a Complaint: Submit a complaint to the Saudi Data & AI Authority (SDAIA) at sdaia.gov.sa if you believe your rights have been violated.
To exercise any of these rights, submit a written request to dpo@ciso.sa. We will respond within 30 days as required by PDPL Article 13.
6. Data Sharing and Disclosure
We do not sell your personal data. We may disclose your data to: (a) authorized service providers acting as data processors (cloud hosting, email delivery, analytics) under binding agreements; (b) competent Saudi authorities where required by law, court order, or to protect national security; (c) professional advisors (lawyers, auditors) under obligations of confidentiality; (d) a successor entity in the event of a merger, acquisition, or asset sale, with prior notice to you where required by law.
Any cross-border transfer of personal data is conducted in compliance with PDPL Article 29 requirements and only to jurisdictions with adequate protection levels or under appropriate contractual safeguards.
7. Data Retention
We retain personal data only as long as necessary for the purposes described in this Policy or as required by Saudi law. Specific retention periods: account data — for the duration of your account plus 5 years after closure; compliance assessment data — 7 years (aligned with SAMA CSF audit trail requirements); security and access logs — 12 months (aligned with NCA ECC LOG-1 requirements); marketing consent records — 5 years after withdrawal; chatbot interaction data — anonymized after 90 days. After the applicable retention period, data is securely deleted or anonymized.
8. Security Measures
We implement technical and organizational security measures commensurate with Saudi national cybersecurity standards, including: AES-256 encryption for data at rest; TLS 1.3 for data in transit; multi-factor authentication for administrative access; role-based access controls (RBAC) limiting data access to authorized personnel; regular penetration testing and vulnerability assessments; security incident response procedures aligned with SAMA CSF IR requirements; annual security awareness training for all personnel with access to personal data.
9. Cookies and Tracking Technologies
We use strictly necessary cookies for session management, authentication, and Platform functionality. We use analytics cookies to understand usage patterns with your consent. You may manage cookie preferences through your browser settings. Our cookie practices comply with applicable Saudi regulatory guidance on electronic communications.
10. Data Breach Notification
In the event of a personal data breach that poses a significant risk to your rights or interests, we will notify the Saudi Data & AI Authority (SDAIA) within 72 hours of becoming aware of the breach as required by PDPL Article 19. Where required, we will also notify affected data subjects directly with information about the breach and protective measures to take.
11. Changes to This Policy
We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or regulatory guidance. We will notify you of material changes via the Platform or email at least 15 days before the changes take effect. Your continued use of the Platform after notification constitutes acceptance of the updated Policy.
12. Contact and Supervisory Authority
Data Protection Officer: dpo@ciso.sa
Privacy Inquiries: privacy@ciso.sa
Supervisory Authority: Saudi Data & AI Authority (SDAIA) — sdaia.gov.sa