This Privacy Policy explains how SoCyber EOOD ("SoCyber", "we", "us" or "our") collects, uses, shares and protects personal data when you visit https://so-cyber.com (the "Site"), contact us, or use the tools and forms we provide. We are a cybersecurity and compliance company based in the Republic of Bulgaria and working with clients internationally.
We process personal data in accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the Bulgarian Personal Data Protection Act.
1. Who we are (the data controller)
The controller responsible for your personal data is:
- SoCyber EOOD
- Residential Complex "Hipodruma", Building 107A, ap. 1, 1612 Sofia, Bulgaria
- Email: office@so-cyber.com
- Phone: +359 876 761 555
For any question about this policy or about how we handle your data, contact us at office@so-cyber.com.
2. What this policy covers
This policy covers the personal data we process as a controller through the Site and our general business communications. Where we process data on behalf of a client as part of a paid engagement (for example, during a penetration test or compliance assessment), we act as a processor and the relevant data processing agreement with that client governs the processing, not this policy.
3. The personal data we collect
We collect personal data in the following ways:
Data you give us
- Contact and enquiry forms: your name, work email, company, phone number (if provided), the topic of your enquiry and any message you send.
- Readiness self-assessments and "email my results": the answers you select and the email address you ask us to send the results to.
- Recruitment: any details you choose to share when applying for a role or expressing interest in working with us.
- Direct correspondence: the content of emails, calls and messages you exchange with us.
Data collected automatically
- Technical and security logs: when you visit the Site, our hosting and content-delivery providers process limited technical data such as your IP address, browser type, pages requested and timestamps. This is used to deliver the Site, keep it secure, and detect abuse.
- Cookies and similar technologies: see our Cookie Policy for details. The Site uses only a minimal, strictly necessary set.
We do not intentionally collect special categories of data (such as health, political or biometric data) through the Site, and we ask that you do not send such data through our forms.
4. How we use your data and our legal bases
We use personal data only where we have a lawful basis under Article 6 GDPR:
| Purpose | Legal basis |
|---|---|
| Responding to your enquiries and providing requested information | Steps taken at your request prior to a contract, and our legitimate interest in answering enquiries |
| Sending you the results of a self-assessment you asked us to email | Your consent |
| Providing and improving our services to clients | Performance of a contract |
| Securing the Site and preventing fraud or abuse | Our legitimate interest in protecting our systems and users |
| Recruitment | Steps taken at your request prior to a contract, and your consent |
| Meeting legal, tax and accounting obligations | Compliance with a legal obligation |
| Sending occasional updates where you have opted in | Your consent (withdrawable at any time) |
Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
5. Cookies
The Site uses a minimal set of strictly necessary storage and does not use advertising or cross-site tracking cookies. Full details are in our Cookie Policy.
6. Who we share data with
We do not sell your personal data. We share it only with trusted service providers who process it on our behalf under appropriate contracts, and where required by law. Our main processors are:
- Microsoft 365 (Microsoft Ireland Operations Ltd) - email delivery and handling of enquiries sent through the site.
- Cloudflare, Inc. - content delivery, DNS, and protection against malicious traffic.
We may also disclose data to professional advisers, or to competent authorities where we are legally required to do so.
7. International transfers
Some of our providers may process data outside the European Economic Area (EEA). Where that happens, we rely on an appropriate safeguard under Chapter V GDPR, such as an adequacy decision of the European Commission or the European Commission's Standard Contractual Clauses, so that your data remains protected to an equivalent standard.
8. How long we keep data
We keep personal data only for as long as necessary for the purposes set out above. Enquiry and contact data is generally kept for up to 24 months after our last meaningful contact, unless a longer period is required for an ongoing relationship or by law (for example, accounting records). Self-assessment result requests are kept only as long as needed to handle the request and any resulting conversation.
9. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected;
- have your data erased in certain circumstances;
- restrict or object to certain processing;
- receive your data in a portable format;
- withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email us at office@so-cyber.com. We will respond within the timeframes required by law. You will not have to pay a fee unless your request is clearly unfounded or excessive.
If you believe we have not handled your data properly, you have the right to lodge a complaint with the Republic of Bulgaria's supervisory authority, the Commission for Personal Data Protection (CPDP) (2 Prof. Tsvetan Lazarov Blvd, Sofia 1592, Bulgaria, https://www.cpdp.bg, kzld@cpdp.bg), or with the supervisory authority in your country of residence.
10. How we protect your data
As a cybersecurity company, security is central to how we operate. We apply appropriate technical and organisational measures, including encryption in transit, access controls, least-privilege principles and ongoing monitoring, to protect personal data against unauthorised access, loss or misuse. No method of transmission or storage is completely secure, but we work continuously to keep our safeguards strong.
11. Children
The Site is intended for business audiences and is not directed at children. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. The "Last updated" date at the top shows when it was last revised. Material changes will be reflected on this page.
13. Contact us
Questions about this Privacy Policy or your personal data can be sent to office@so-cyber.com or by post to Residential Complex "Hipodruma", Building 107A, ap. 1, 1612 Sofia, Bulgaria.