Privacy Policy for End Users

Your organization (hereinafter "the Controller" or "the Customer") appointed you as part of the target audience for the following services (hereinafter "Services") provided by ExchangeDefender:

• Performing simulated phishing attacks on the logged-in employees of the Customer (in its broadest sense, hereinafter "Employees") (and systems of the Customer).
• Training the Employees by means of e-learning.
• Automatically delivering detailed reports regarding the results through a web portal.

The Customer and ExchangeDefender have concluded an agreement on the performance of these Services.

14422 Shoreside Way, Suite 110-262, Winter Garden, FL 34787

Contact:
In case you want to contact us regarding this policy, you can contact us via email to our DPO: [email address removed]. If you want to exercise one of your rights (see section 7), we kindly request to contact the Customer.

We process the following of your personal data:

• Name
• Email address
• Language
• Position at the company
• Open/click/report behavior and results

Optional:

• Department within the company
• Location within and/or of the company
• Mobile phone or telephone number
• Email data (see below) (depending on settings in the ExchangeDefender account)

This data is provided to us by the Customer, who (a) lawfully obtained such personal data from you and lawfully provided it to ExchangeDefender, (b) provided ExchangeDefender with personal data that is accurate and up to date, and (c) will provide you with relevant information about the processing activities.

We process the personal data because it is necessary for the performance of the Services. In this regard, we process your personal data for the following purposes on behalf of the Customer:

• Making the ExchangeDefender software available in accordance with the agreements between ExchangeDefender and the Customer (including, but not limited to, creating a recipient account for you and ensuring the proper functioning of the ExchangeDefender software).
• Increasing the awareness level of the dangers of phishing via the ExchangeDefender software and tracking the users of the software, including (but not limited to):
• Sending and receiving communications via email, text, or voice message (depending on the settings) (e.g., notification of phishing simulation or a suspected real phishing email). These do not constitute direct marketing. Nevertheless, if you no longer wish to receive these communications, please contact the Customer, who may give its permission to stop these communications. However, we do not recommend this as you will no longer benefit from our training and the Customer benefits best from training when as many of its Employees as possible are participating.
• Storing phishing results.
• Keeping phishing results available for the Customer via statistics.
• Making adjustments to the phishing simulations.

ExchangeDefender will not process your personal data for any other purpose than for the performance of the Services and/or for the fulfillment of the responsibilities laid down in the agreement entered into between ExchangeDefender and the Customer. ExchangeDefender will only process your personal data on behalf of the Customer and in accordance with the documented instructions of the Customer.

We only disclose relevant aspects of personal data to third parties if those parties are contractually bound to ExchangeDefender or act on behalf of or under contract to ExchangeDefender. Naturally, we have made agreements with these parties regarding the protection of your personal data.

ExchangeDefender may disclose personal data when such disclosure is necessary to comply with a legal obligation to which we are subject or to protect (vital) interests. We may also disclose the personal data when such disclosure is necessary to establish, exercise, or defend legal claims, in court proceedings, or in administrative or extra-judicial proceedings.

Personal data will be retained for the duration of the contract between ExchangeDefender and the Customer and will be deleted through methods such as anonymization after 6 months of inactivity following the termination of this contract.

Unless otherwise agreed upon between ExchangeDefender and the Customer, we are allowed to further use anonymized aggregated data, which does not constitute personal data, to improve our services.

In any case, you, as a data subject, or the Customer may contact us at any time regarding a request to anonymize or delete certain personal data (for example, if you are no longer working for the Customer)

Your requests regarding the exercise of your data protection rights should be addressed to the Data Controller, who is responsible for handling this request. These requests will not be handled by ExchangeDefender under any circumstances, unless we’ve been explicitly instructed by the Controller.

For your information and clarity, we have summarized your rights under the GDPR in this section. Because some of these rights are complex, not all of the details are included in this summary. Therefore, you can read the relevant laws and regulations for a full explanation of these rights or contact the Data Controller.

• Right of Access and a Copy of Your Personal Data: You have the right to be informed about whether your personal data is being processed by the Data Controller and, if so, to access this personal data, together with the additional information mentioned in Article 15 of the GDPR. If the protection of the rights and freedoms of others is not affected, the Data Controller will provide you with a copy of your personal data.

If you request a copy of the data processed by ExchangeDefender, you must address this request to your Controller. We inform you that, if we receive your request via the Data Controller, we can only provide a copy of the following personal data:

• Your name;
• Your e-mail address;
• The unique number associated with your user account (UID).

All other categories of personal data (see above) are encrypted for ExchangeDefender (where the encryption key is managed by a third party). Therefore, we cannot reasonably provide you with a copy of this data. However, the Controller can provide a copy of this. This is part of the principle of 'Security by Design', as our platform is structured in such a way that the personal data that ExchangeDefender can consult is limited to what is strictly necessary.

• Right to Rectification: You have the right to have incorrect and/or incomplete personal data corrected and/or supplemented.
• Right to Erasure: You have the right to have your personal data erased in the circumstances mentioned in Article 17(1) of the GDPR, such as when you withdraw your consent to processing based on consent. Please note that your personal data has not been collected for the use of the Services by the Data Controller based on your consent, but based on their legitimate interest.
• Right to Restriction of Processing: You have the right to restrict the processing of your personal data in the circumstances set out in Article 18(1) GDPR, for example, if you contest the accuracy of the personal data.
• Right to Data Portability: You have the right to receive the personal data concerning you that you have provided to the Data Controller in a structured, commonly used, and machine-readable format and to transmit this data to another Data Controller if (a) the processing is based on consent or is necessary for the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract, and (b) this processing is automated. However, this right does not apply where it would harm the rights and freedoms of others. In the admin manual, which is made available by ExchangeDefender to the Controller, the Controller can find for which data such an export is possible.
• Right to Withdraw Consent: To the extent that the lawful basis for the processing of your personal data is consent, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of the processing prior to its withdrawal.
• Right to File a Complaint with the Supervisory Authority: We always encourage you to forward any questions, comments, or complaints you may have regarding the processing of your personal data to your Data Controller. In any case, particularly if you do not agree with the position of your Controller and/or ExchangeDefender in response to a complaint/request or the way in which your request was handled (for example, if you believe that our processing of your personal data violates data protection legislation or if you have comments about the use of your personal data), you have the right to lodge a complaint with the competent supervisory authority.
• Right to Object to Processing: You have the right to object to the processing of your personal data for direct marketing purposes at any time, as long as the exclusions mentioned in Article 17(3) GDPR do not apply (for example, if the processing is necessary to comply with a legal obligation). You also have the right to object to the processing of your personal data based on Article 6 (e) or (f) GDPR on grounds relating to your particular situation. In addition, you have the right to object to the processing of your personal data for scientific, historical, or statistical (research) purposes on grounds relating to your particular situation.

ExchangeDefender reserves the right to make changes and/or updates to this Data Protection Policy to take into account technological advancements, changes in laws and regulations, and good business practices.