Celeri Victoria

Privacy Policy

  • Home
  • Privacy Policy

Introduction
Celeri Victoria our, Company is committed to protecting the privacy, confidentiality, and security of personal data. This Privacy Policy explains how we collect, use, disclose, transfer, and store personal data in the provision of our cybersecurity services, including penetration testing, red‑team engagements, resilience assessments, managed detection and response, IoT testing, server hardening, and related advisory and monitoring services. This policy is written to address major global privacy regimes (including the EU General Data Protection Regulation (GDPR), UK data protection law, and relevant U.S. frameworks) and to reflect industry best practices for a security‑focused organization. Where required by local law, additional notices or terms may apply.

Scope
This Privacy Policy applies to personal data processed by Celeri Victoria in connection with:

  • Prospective, current, and former clients and their personnel;
  • Users of our websites, portals, and web applications (including marketing websites, customer portals, and demo sites);
  • Job applicants and our employees, contractors, and service providers;
  • Contacts provided to us by clients, partners, or third parties; and
  • Incident response and forensic processing where personal data may be encountered.

It applies regardless of how personal data is collected — via websites, email, phone, third‑party integrations, assessments, testing activities, on‑site engagements, or through our tools and platforms. It does not apply to anonymized or aggregated data that cannot reasonably be used to identify an individual.

Key Principles
We adhere to the following data protection principles:

  • Lawfulness, fairness and transparency: We process personal data lawfully, fairly, and in a transparent manner.
  • Purpose limitation: We collect data for specified, explicit, and legitimate purposes and do not further process it in a manner incompatible with those purposes.
  • Data minimization: We collect only the personal data necessary for the purposes described.
  • Accuracy: We take reasonable steps to ensure personal data is accurate and up to date.
  • Storage limitation: We retain personal data only as long as necessary for the stated purposes and in compliance with legal obligations.
  • Integrity and confidentiality: We protect personal data with appropriate technical and organizational measures.
  • Accountability: We maintain records and can demonstrate compliance with these principles.

Data We Collect
We process a range of personal data categories depending on the context:

  1. Contact and identity information
  • Names, job titles, company names, email addresses, telephone numbers, and business addresses collected from clients, prospects, partners, and vendor contacts.
  1. Account and authentication data
  • Usernames, passwords (secured/hashed), multi‑factor authentication data, and other credentials for access to portals and client environments.
  1. Transactional and contractual data
  • Contract details, engagement scopes, billing and invoicing information, purchase orders, and payment transaction metadata (we typically rely on third‑party payment processors for card processing).
  1. Technical and usage data
  • IP addresses, device identifiers, browser and operating system details, telemetry from web interactions, logs from our monitoring tools, timestamps, session identifiers, usage statistics, and diagnostic information.
  1. Assessment and engagement data
  • Data collected or observed during penetration tests, red‑team operations, resilience assessments, or incident response activities, which may include personal data stored within client systems (email addresses, user accounts, configuration metadata, logs). When processing client systems we act primarily as a processor or as a contracted service provider under client direction; handling of that data is governed by the engagement contract.
  1. Incident and forensic data
  • Data acquired during incident response and digital forensics, which may include system artifacts, user activity data, IP addresses, file names, emails, and other evidence useful to investigate and remediate incidents.
  1. Human resources and recruitment data
  • CVs/resumes, employment history, references, professional certifications, educational background, right to work documentation, emergency contact details, and payroll or benefits information for applicants, employees, and contractors.
  1. Marketing and communications data
  • Preferences, consent records for marketing, newsletter subscriptions, event attendance history, and communication content where voluntarily provided.
  1. Third‑party and public data
  • Data available from public sources or provided by third parties (e.g., business directories, professional networks) used for business development or compliance checks.

How We Collect Data
We obtain personal data via:

  • Direct interactions: inquiries, contact forms, emails, phone calls, contracts, job applications, and onboarding.
  • Automated technologies: cookies, web beacons, analytics tools, and monitoring of access to our portals.
  • Client systems: as part of technical engagements where we access client environments by contractual arrangement.
  • Third parties: partners, subcontractors, public sources, and data enrichment services.
  • Legal or regulatory sources: law enforcement, regulatory requests, or compliance checks where necessary.

Legal Bases for Processing (where applicable)
Where applicable (for example under the GDPR), we rely on appropriate legal bases for processing personal data:

  • Performance of a contract: Processing necessary to perform services under client contracts.
  • Legal obligation: Processing required to comply with applicable laws, court orders, or regulatory obligations.
  • Legitimate interests: For purposes such as network and information security, fraud detection, direct marketing (subject to opt‑out), business continuity, and defense of legal claims — balanced against individual rights.
  • Consent: For processing that requires consent (e.g., certain marketing communications, non‑essential cookies). Consent can be withdrawn at any time.
  • Vital interests: Where necessary to protect life or safety in emergency situations (e.g., responding to incidents with immediate risk to individuals).

How We Use Personal Data
Celeri Victoria uses personal data for the following purposes:

  1. To provide cybersecurity services
  • Delivering penetration tests, red‑team operations, resilience assessments, managed detection and response, incident response, forensics, and advisory services. This includes accessing and analyzing client systems and logs, producing reports, and recommending remediation.
  1. To manage client relationships and deliver support
  • Onboarding, billing, communicating findings, coordinating engagements, scheduling, and providing technical and account support.
  1. To operate our platforms and websites
  • Managing user accounts, authentication, access control, maintaining service availability, and diagnosing and resolving issues.
  1. To improve services and innovate
  • Product development, research, trend analysis, quality assurance, and developing new tools and methodologies (using anonymized or aggregated data where possible).
  1. For security, fraud prevention, and risk management
  • Detecting, preventing, and investigating security incidents, abuse, and unauthorized access; performing threat hunting and real‑time monitoring to protect our infrastructure and clients.
  1. For legal, regulatory, and compliance purposes
  • Responding to lawful requests, litigation, audits, regulatory inquiries, compliance reporting, and maintaining records.
  1. For recruitment and HR management
  • Managing job applications, payroll, benefits, training, and contractor management.
  1. For marketing and communications
  • Sending newsletters, event invitations, product updates, and promotional communications where permitted. Recipients can opt out of marketing communications.

Sharing and Disclosure of Personal Data
We may share personal data in the following circumstances:

  1. With clients and their authorized representatives
  • When performing contracted services, we may disclose findings, evidence, or processed data as required by the engagement terms.
  1. Service providers and subprocessors
  • We engage trusted third parties to support operations (cloud hosting, analytics, payment processing, background checks, legal advisors). These providers process data under contract and appropriate safeguards.
  1. Affiliates and corporate transactions
  • With our subsidiaries, affiliates, or in connection with a merger, acquisition, reorganization, or sale of assets; affected individuals will be notified where required by law.
  1. Legal and regulatory disclosures
  • In response to subpoenas, court orders, government requests, or to comply with laws, or to defend legal rights.
  1. Security and safety
  • To protect against imminent harm or to respond to security incidents; we may share data with incident response partners and law enforcement when necessary.
  1. Aggregated or anonymized information
  • We may publish anonymized or aggregated data that does not identify individuals.

International Transfers
Celeri Victoria operates globally. Personal data may be transferred to and processed in countries other than your country of residence, including the United States and other jurisdictions whose data protection laws may differ. When transferring data across borders we implement appropriate safeguards such as:

  • Standard contractual clauses (SCCs) or other valid transfer mechanisms where required;
  • Binding corporate rules for intra‑group transfers where applicable; and
  • Technical and organizational measures (encryption, access controls) to protect data in transit and at rest.

Retention Periods
We retain personal data only as long as necessary to fulfill the purposes described, including to meet contractual obligations, resolve disputes, enforce agreements, comply with legal requirements, and for recordkeeping. Typical retention periods include:

  • Client engagement records and reports: retained for the duration of the engagement plus a period (commonly 3–7 years) to meet contractual, insurance, and legal obligations.
  • Logs and monitoring data: retained according to operational needs and applicable law; may be aggregated or truncated for long‑term storage.
  • HR records: retained while employed and thereafter as required by employment law and for a reasonable time for defense of claims.
  • Marketing data: until consent is withdrawn or the individual opts out.

Security Measures
We maintain industry‑standard technical and organizational measures to protect personal data, including:

  • Encryption of data in transit and at rest where feasible;
  • Network segmentation, firewalls, and intrusion detection/prevention systems;
  • Multi‑factor authentication and role‑based access control;
  • Regular security assessments, code reviews, and third‑party audits;
  • Secure development lifecycle and change management processes;
  • Employee training on data protection, incident response, and least privilege; and
  • Incident response plans and breach notification procedures.

Data Subject Rights
Depending on applicable law, individuals may have rights regarding their personal data. Celeri Victoria will facilitate requests in accordance with legal requirements. These rights may include:

  • Access: Request a copy of personal data we hold.
  • Rectification: Request correction of inaccurate or incomplete data.
  • Erasure: Request deletion of personal data where lawful (subject to retention obligations).
  • Restriction of processing: Request temporary limitation of processing.
  • Data portability: Request transfer of personal data in a commonly used, machine‑readable format.
  • Objection: Object to processing based on legitimate interests or direct marketing.
  • Withdraw consent: Where processing is based on consent, individuals may withdraw consent at any time.
  • Lodge a complaint: With a supervisory authority (e.g., a data protection regulator) if they believe their rights have been violated.

To exercise rights, contact: info@celeri-victoria.com with a clear description of the request and supporting information to verify identity. We respond within applicable legal timeframes.

Children’s Privacy
Our services are intended for businesses and professionals and are not directed to children under 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child in violation of this policy, we will take steps to delete it promptly.

Cookies and Tracking Technologies
We use cookies and similar technologies on our websites and portals for essential functionality, analytics, session management, and optional marketing. Users can control cookie preferences via cookie banners, browser settings, or account preferences. Disabling non‑essential cookies may affect site functionality.

Third‑Party Links and Integrations
Our websites may link to third‑party sites and integrate third‑party services (e.g., payment processors, analytics). We are not responsible for the privacy practices of third parties. Please review their privacy policies before providing personal data.

Processing Client Data During Engagements
When we perform technical services on client systems, we may process personal data contained within those systems. Typically:

  • We act under client direction as a processor or subcontractor; contractual terms (Data Processing Agreement or equivalent) govern scope, purpose, security measures, and return/deletion of data.
  • We minimize collection and use of personal data; where possible we work with pseudonymized or test data.
  • For incident response engagements, we preserve evidence and notify clients of findings; we do not disclose client data externally except as instructed or required by law.

Confidentiality and Ethics
We treat client systems, findings, and data as confidential. Staff and contractors are bound by confidentiality obligations, nondisclosure agreements, and ethical standards. We do not exploit or publicly disclose vulnerabilities without client consent except where required by law.

Subprocessors and Vendors
We may engage subprocessors (cloud hosts, analytics, email, and other service providers). We conduct vendor due diligence and impose contractual security and privacy obligations. A non‑exhaustive list of categories of subprocessors is available on request.

Breach Notification
In the event of a data breach affecting personal data we control, we will:

  • Act promptly to contain and remediate the breach;
  • Assess the nature and scope of the incident and potential risks to individuals;
  • Notify affected clients and individuals where required by law or contract; and
  • Report to supervisory authorities where legally obligated.

International Compliance Notes
GDPR (EU/EEA) — Data subjects in the EU have rights under the GDPR; our processing bases and safeguards described above are intended to align with GDPR obligations. We may act as data controller or processor depending on context; when acting as processor, clients retain control and responsibility for instructions.

UK — We comply with UK data protection law where applicable and adopt similar safeguards to those described for the GDPR.

United States — U.S. data protection law is sectoral and state‑based. We comply with applicable federal and state laws, including breach notification statutes. For U.S. residents, rights may vary by state.

California Residents — If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA) where applicable, including the right to opt out of sale/sharing of personal information, request disclosure of categories of data collected, and request deletion. We do not “sell” personal information as defined in California law; if sharing practices change we will provide required notices and opt‑out mechanisms.

Do Not Track
Our websites do not currently honor browser “Do Not Track” signals. Cookie and tracking preference controls are available via our cookie banner and account settings.

Data Protection Officer (DPO) and Contact
We have designated a privacy contact responsible for data protection matters.

Privacy contact:
info@celeri-victoria.com
Celeri Victoria

For regulatory complaints, data subjects may contact the relevant supervisory authority in their jurisdiction.

Updates to This Policy
We may update this Privacy Policy to reflect changes in practices, legal requirements, or services. We will post the updated policy with a new effective date and, where required, provide notice to affected users.

Acknowledgement and Acceptance
By engaging with our services, using our websites, or providing personal data to Celeri Victoria, you acknowledge that you have read and understood this Privacy Policy and consent to the processing described herein where required.

Annexes (Selected Templates and Clauses)

  1. Data Processing Agreement (DPA) Summary
  • Roles: Client = Controller; Celeri Victoria = Processor (unless otherwise agreed).
  • Purpose: Provision of cybersecurity services as specified in the engagement statement.
  • Processor obligations: Process only on documented instructions, implement security measures, assist controller with data subject rights requests, notify controller of breaches, return/delete data at end of the engagement.
  1. Standard Contractual Clauses and Transfers
  • Where international transfers are required, we employ appropriate safeguards like SCCs, encryption, access controls, and vendor assessments.
  1. Subprocessor List and Updates
  • We maintain an up‑to‑date list of subprocessors and will notify clients of changes with an opportunity to object where legally required.
  1. Retention and Deletion Procedure
  • Upon engagement termination, we securely return or delete personal data per contractual terms and maintain secure backups only as necessary for legal obligations.
  1. Law Enforcement and Government Requests
  • We limit disclosure to lawful and proportionate requests, verify requests, and challenge overbroad demands where appropriate. We notify clients of requests affecting their data unless prohibited.
  1. Security Controls Overview
  • Access control, encryption, key management, secure coding practices, logging and monitoring, periodic penetration testing, vulnerability management, incident response, employee security training, and third‑party assessments.
  1. Glossary
  • “Personal data” means any information relating to an identified or identifiable natural person.
  • “Controller” determines the purposes and means of processing.
  • “Processor” processes data on behalf of a controller.
  • “Subprocessor” is a third party engaged by the processor to process data.

Conclusion
Celeri Victoria aims to maintain the highest standards of data protection and information security while delivering advanced cybersecurity services. For questions, to exercise your rights, to request our DPA or subprocessor list, or to report concerns, contact info@celeri-victoria.com.