Controller within the meaning of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG):

KSV1870 Nimbusec GmbH
Kaisergasse 16b
4020 Linz
Austria
Phone: +43 (0)732 860 626
Email: office@nimbusec.com
Website: nimbusec.com

2.1. Legal basis

We only process personal data if there is a legal basis in accordance with Article 6 GDPR:

1. Consent (Art. 6 (1) (a) GDPR)

   You have voluntarily consented to the processing of your personal data for one or more specific purposes.

2. Performance of a contract (Art. 6(1)(b) GDPR)

   The processing is necessary for the performance of a contract with you or for taking steps at your request prior to entering into a contract.

3. Legal obligation (Art. 6(1)(c) GDPR)

   The processing is necessary to fulfill a legal obligation, e.g., from accounting regulations or the DORA.

4. Legitimate interests (Art. 6 (1) (f) GDPR)

   The processing is necessary to safeguard our legitimate interests or those of a third party, unless your interests or fundamental rights override these interests.

2.2. Categories of processed data

We process the following categories of personal data:

• Identification data, such as surname, first name, company, position
• Contact and customer data, such as email address, telephone number, postal address
• Contract data, such as customer number, contract details, order history
• Payment data, such as billing address, VAT ID, bank details
• Technical data, such as IP address, browser information, usage behavior
• Communication data, such as correspondence content, support requests

3.1. Contract fulfillment and customer service

• Purpose: Completion and fulfillment of contracts, customer service, technical support
• Legal basis: Art. 6 (1) (b) GDPR (contract fulfillment)
• Types of data: Identification, contact, contract, and payment data
• Storage period: Until complete contract fulfillment, then in accordance with statutory retention periods

3.2. Billing and accounting

• Purpose: Invoicing, accounting, tax law
• Legal basis: Art. 6 (1) (c) GDPR (legal obligation)
• Types of data: Contract, payment, and invoice data
• Storage period: For the duration of the contractual relationship and for seven years after the end of the calendar year in which the data was collected, unless the documents are required for pending legal or administrative proceedings (Section 132 BAO, Section 212 UGB)

3.3. Marketing and advertising

• Purpose: Newsletter, product information, marketing communication
• Legal basis: Art. 6 (1) (a) GDPR (consent, in particular for newsletters) or Art. 6 (1) (f) GDPR (legitimate interests)
• Types of data: Contact details, communication data
• Storage period: Until consent is revoked or until objection is raised, maximum 3 years after last contact

3.4. Security and compliance

• Purpose: Ensuring IT security, fraud prevention, compliance
• Legal basis: Art. 6 (1) (f) GDPR (legitimate interests)
• Types of data: Technical data, access logs
• Storage period: 12 months, unless other legal obligations apply

4.1. Direct collection

We collect personal data directly from you in the following situations:

• Registration for our services
• Conclusion of contracts
• Data collection via DORA module and cyber risk rating
• Contact via forms or email
• Participation in webinars or events
• Newsletter registration

4.2. Indirect collection

As part of our services for customers, we may also process personal data that has not been collected directly from you. This data is collected on behalf of our customers, in particular to meet regulatory requirements (e.g., DORA). This data originates from our customers or our customers' suppliers and is forwarded to them as recipients, e.g., for the creation of the DORA information register.

• Purpose: Fulfillment of contractual obligations towards the customer to comply with regulatory requirements (e.g., DORA)
• Legal basis: Art. 6 (1) (b) GDPR (performance of a contract) or Art. 6 (1) (f) GDPR (legitimate interests)
• Types of data: Identification data, contact and customer data
• Storage period: Until complete contract fulfillment, then in accordance with statutory retention periods

4.3. Automatic collection

When you visit our website, the following data is automatically collected:

• IP address
• Browser type and version
• Operating system
• Referrer URL
• Time of access
• Pages accessed

This data is exclusively technical data necessary for the proper operation of the website.

4.4. Third-party sources

To a limited extent, we may use data from publicly available sources (e.g., commercial register, land register, public profiles, websites) to complete and update existing customer data.

5.1. Contract processor

We work with trusted service providers who support us in providing our services:

• Cloud hosting providers: For the provision of our online services
• IT consulting providers: For data collection and quality assurance
• Payment service providers: For processing payments
• Email service providers: For sending newsletters and transactional emails
• Support software providers: For office tasks and customer support

Contracts have been concluded with all processors in accordance with Art. 28 GDPR, and they are obliged, among other things, to establish and maintain appropriate technical and organizational security measures.

5.2. Legal obligations

Personal data will only be disclosed to other third parties if:

• There is a legal obligation to do so (e.g. tax audit)
• Official requests are made in accordance with the law
• The enforcement of legal claims is necessary

5.3. No disclosure to third parties for advertising purposes

Your personal data will not be sold or otherwise transferred to third parties for advertising purposes.

6.1. Location of data processing

Nimbusec's services and all associated data storage are provided exclusively via servers located in the EU.

6.2. International data transfers to third countries

Data is stored and processed exclusively within the EU. In exceptional cases, data may be transferred to countries outside the European Economic Area (EEA), but only if adequate safeguards are in place:

• Adequacy decisions by the EU Commission
• Standard contractual clauses of the EU Commission
• Certified data protection frameworks (e.g., EU-US Data Privacy Framework)

You have the following rights under the GDPR:

7.1. Right of access (Art. 15 GDPR)

You may request information about the data stored about you, including:

• Purposes of processing
• Categories of data processed
• Recipients of the data
• Planned storage period
• Origin of the data

7.2. Right to rectification (Art. 16 GDPR)

You may request the correction of inaccurate data or the completion of incomplete data.

7.3. Right to erasure (Art. 17 GDPR)

You may request the deletion of your data if:

• The data is no longer required for the original purposes;
• You have revoked your consent;
• The data has been processed unlawfully; or
• There are no legal retention obligations.

7.4. Right to restriction of processing (Art. 18 GDPR)

You may request restriction of processing if:

• The accuracy of the data is disputed
• The processing is unlawful
• The data is required for legal claims

7.5. Right to data portability (Art. 20 GDPR)

You can receive your data in a structured, commonly used, and machine-readable format and have it transferred to another controller.

7.6. Right to object (Art. 21 GDPR)

You may object to the processing of your data if:

• The processing is based on legitimate interests
• The data is used for direct marketing purposes
• Automated decision-making takes place

7.7. Right to withdraw consent

If the processing is based on your consent, you can revoke it at any time. The revocation is effective for the future and does not affect the legality of the processing that has taken place up to that point.

7.8. Exercise of rights

You can assert your rights by emailing datenschutz@nimbusec.com or writing to our business address. We will process your request within one month of receiving it, although this period may be extended by a further two months in accordance with Art. 12 GDPR. We will inform you of any such extension within one month of receiving your request.

7.9. Proof of identity

For inquiries regarding your personal data, we may request proof of identity to prevent misuse.

8.1. General principles

Your data will only be stored for as long as is necessary for the respective purpose or for as long as statutory retention periods apply.

8.2. Specific retention periods

• Contract data: 7 years after the end of the contract (§ 132 BAO)
• Invoice documents: 7 years after invoicing (§ 132 BAO, § 212 UGB)
• Correspondence: 7 years after last contact (§ 132 BAO)
• Newsletter consent: Until revoked, maximum 3 years after last contact
• Website logs: 12 months

8.3. Automatic deletion

We have implemented technical and organizational measures that ensure the automatic deletion of data after the respective storage periods have expired.

9.1. Use of cookies

Our website uses technically necessary cookies, which are stored on your device:

• Purpose: Basic functionality of the website
• Legal basis: Art. 6 (1) (f) GDPR (legitimate interests)
• Storage period: Session or up to 12 months

This is exclusively technically necessary data for the proper operation of the website.

9.2. Web analytics

We use Matomo (hosted in the EU) to analyze website usage:

• IP addresses are pseudonymized (the last 2 octets of data are stored and processed exclusively in the EU).
• Respect for the “Do Not Track” setting.
• No disclosure to third parties.

10.1. Technical and organizational measures

We take appropriate technical and organizational measures to protect your data:

Technical measures

• SSL/TLS encryption during data transmission
• Encryption of data during storage
• Regular security updates and patches
• Firewalls and intrusion detection systems
• Regular backups and disaster recovery plans

Organizational measures

• Access control and authorization policies
• Training of employees in data protection
• Commitment to data secrecy in accordance with § 6 DSG
• Regular review of security measures
• Incident response procedures

10.2. Data breaches

In the event of a data breach, we will:

• Notify the Austrian Data Protection Authority within 72 hours
• Notify you immediately if there is a high risk to your rights and freedoms
• Take appropriate measures to mitigate the damage

You have the right to lodge a complaint with the competent supervisory authority:

Austrian Data Protection Authority (DSB)
Barichgasse 40-42
1030 Vienna
Austria
Phone: +43 (0)1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at

For all questions regarding data protection and exercising your rights as a data subject within the scope of the GDPR (see section 7), please contact:

Email: datenschutz@nimbusec.com
Post: KSV1870 Nimbusec GmbH, Kaisergasse 16b, 4020 Linz, Österreich

13.1. Updating

This privacy policy is reviewed regularly and updated as necessary. The current version is always available on our website.

13.2. Notification

We will notify you of any significant changes by posting a clear notice on our website.

13.3. Date of last change

This privacy policy was last updated in June 2025.