CYVRA Logo
Home
BlogPolicyContact
GET A DEMO
Home>Policy>Product Privacy Notice

Product Privacy Notice

CYVRA Product Privacy Notice

CYVRA Inc. (“CYVRA,” “we,” “us,” or “our”), a corporation duly incorporated under the laws of the State of Delaware with its principal office in Utah, United States of America, is committed to safeguarding the privacy and security of personal data entrusted to us by our customers (“Customer”) and their employees (“End Users”). This Product Privacy Notice (“Notice”) sets forth the manner in which CYVRA collects, processes, stores, and protects personal data in connection with the provision of CYVRA’s security awareness training services, including phishing simulations, cyber games, newsletters, and training modules (collectively, the “Services”).

By engaging the Services, Customer acknowledges that it has reviewed and understood this Notice and that such processing of personal data shall be subject to the terms set forth herein.


1. Categories of Personal Data Collected

CYVRA limits its collection of personal data to that which is strictly necessary for the performance of the Services. The categories of data processed include:

  • Business email addresses of End Users designated by the Customer.
  • Training results, including, without limitation, simulation outcomes (e.g., clicks, opens, reports), quiz scores, and cyber game performance metrics.

CYVRA does not collect personal phone numbers, payment card information, government-issued identifiers, or other sensitive personal data not required for training delivery.


2. Purpose and Legal Basis of Processing

2.1 Personal data is processed solely for the following purposes:

  (a) to deliver phishing simulations, newsletters, cyber games, and related awareness training content;

  (b) to authenticate End Users’ access to the CYVRA Cyber Games Platform through one-time passcodes (“OTP”);

  (c) to measure and report on the effectiveness of training initiatives; and

  (d) to ensure the continued functionality, improvement, and security of the Services.


2.2 Where applicable, the lawful bases for such processing under the General Data Protection Regulation (GDPR) include:

  (a) performance of a contract with the Customer;

  (b) CYVRA’s legitimate interests in providing and improving the Services; and

  (c) compliance with legal obligations to which CYVRA is subject.


3. Data Retention

3.1 Training results shall be retained in active production systems for no longer than thirty (30) days, after which they shall be irreversibly deleted.

3.2 Business email addresses may be retained in encrypted offline backups, which shall be updated on a semi-annual basis. Prior backup sets shall be securely destroyed upon replacement.

3.3 Customer Data deleted from production shall not be restored into production from backup media following a deletion request.


4. Security Measures

CYVRA implements appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including but not limited to:

  • Encryption of data in transit (TLS 1.2/1.3) and at rest (AES-256).
  • Strict administrative access controls, limited exclusively to CYVRA administrators.
  • Use of encrypted offline backup media stored in secure facilities.
  • Regular vulnerability assessments and penetration testing.


5. Subprocessors

In delivering the Services, CYVRA engages third-party subprocessors who provide infrastructure, email delivery, and content hosting services. These include, without limitation:

  • Amazon Web Services (AWS): Cloud hosting and storage.
  • Mailgun: Email delivery of phishing simulations and newsletters.
  • Microsoft 365: Productivity and administrative support functions.
  • Third-party OTT provider: Hosting of training videos.

All subprocessors are contractually bound to maintain appropriate safeguards consistent with applicable data protection laws.


6. International Data Transfers

Customer Data may be stored and processed in the United States. Where data is transferred from jurisdictions such as the European Economic Area (EEA), CYVRA relies upon Standard Contractual Clauses (SCCs) and other appropriate safeguards as required by law.


7. Data Subject Rights

Where required under applicable law (including GDPR, UK GDPR, CCPA, and other data protection regimes), End Users are entitled to exercise the following rights:

  • Right of access to their personal data.
  • Right to rectification of inaccurate data.
  • Right to erasure (“right to be forgotten”).
  • Right to restrict or object to processing.
  • Right to data portability.
  • CCPA: Right to opt out of the sale or sharing of personal information (note: CYVRA does not sell personal information).

Requests to exercise such rights may be directed to compliance@cyvra.com. CYVRA shall respond within thirty (60) days or such other period as mandated by applicable law.







8. Children’s Data

The Services are intended exclusively for business use. CYVRA does not knowingly collect or process personal data relating to individuals under the age of eighteen (18).


9. Changes to this Notice

CYVRA reserves the right to amend this Notice at its discretion to reflect changes in legal requirements, business practices, or the Services. Customers will be notified of material changes, and continued use of the Services shall constitute acceptance of such amendments.


10. Contact Information

All inquiries or complaints relating to this Notice or to CYVRA’s processing of personal data shall be directed to:

CYVRA Inc.

Principal Office: 340 21st Street

Apt 2013, Ogden, Utah

84401, United States of America

Email: compliance@cyvra247.com

Legal Notices: legal@cyvra247.com

Service of process shall additionally be directed to CYVRA’s registered agent on file with the Delaware Secretary of State.