The following constitutes the current list of CTS "Sub-Processors" that could conceivably have access to information stored within our systems.
HubSpot
Website: https://www.hubspot.com
Usage: Campaign, Marketing, Quotations and Order Information, Projects
DATA: Any contact details provided by companies or individuals, product order details, quotes, emails and other communication data, where our "Quotation Request Forms" are utilised, any data provided on those forms is also recorded within a ticket within Hubspot.
XERO
Website: https://www.xero.com/uk/
Usage: Financial Transactions related to any activities completed by Cyber Tec Security
DATA: Any contact details logged for delivery of services where financial transactions are involved, associated quotes, invoices and remittance advice. Employee data and the data required for HMRC will also be kept within Xero, including full contact details for our employees.
HR (Outsourced)
Outsourced to: Peacock HR Consultants
Website: https://peacockhrconsultants.co.uk/
Data: Internal access to HR Information (provided as needed) and otherwise, contact details for our staff members.
H&S (Outsourced)
Outsourced to: Safety Horizons
Website: https://www.safetyhorizonsw.com/
Data: Limited or no access to any personal information save that of any internal resources required to support H&S within CTS, or, any third party making a request, where contact information has been shared.
CloudAlly
Website: https://www.cloudally.com/
Usage: Backup of Microsoft Office 365 and associated sub-components of MS365.
DATA: Any information stored within emails and associated attachments sent into CTS. Information related to our services, that is stored within Microsoft SharePoint/Onedrive.
See Microsoft later for clarification of potential data within CloudAlly.
GoToAssist
Website: https://www.goto.com/
Usage: Utilised for remote access to systems to complete assessments/support of devices
DATA: IP Address details for the connection, Name of persons creating the support sessions and once access is obtained (always guided - with the recipient watching whilst we are connected).
TeamViewer
Website: https://www.teamviewer.com/en/
Usage: Utilised for remote access to systems to complete assessments/support of devices
DATA: IP Address details for the connection, Name of persons creating the support sessions and once access is obtained (always guided - with the recipient watching whilst we are connected).
IASME
Website: https://iasme.co.uk/
Usage: The NCSC Delivery Partner responsible for the Cyber Essentials Scheme
DATA: Any data entered into the PERVADE system (Cyber Essentials Customer Data-Management & Certification System) which will in some cases, include IP addresses and email addresses along with standard company contact details.
KNOWBE4
Website: https://www.knowbe4.com/
Usage: Cyber Training / Phish Testing
DATA: Generally internally utilised, however, contains username and contact information for those who are utilising the platform, which may include the IP address from which the connection into the platform was established.
Microsoft Office 365
Website: https://www.office.com
INCLUSION: Within Microsoft Office 365 we include any and all related tools that are available now and may be available in the future, for example, OneDrive, Teams, SharePoint and Designer.
Usage: Microsoft Office 365 is the main platform utilised within Cyber Tec Security for communications and document storage.
DATA: Microsoft Exchange will hold any data shared with us via email, which could include anything from contracts containing company details, financial records and other data, to basic information around vulnerabilities, IP addresses for companies being assessed and sometimes, contact details, used merely to complete assessments, for employee's of companies under assessment. EndPoint Manager (EDR) will also have access to our internal user details, such as device names, user names and other associated data from their devices.
Microsoft Azure
Whilst Microsoft Azure is part of the Microsoft 365 estate, we have separated this as the services primarily utilised within Azure are for assessments only and may contain other data.
Website: https://azure.microsoft.com/en-gb/
Usage: Hosting of some required systems/services such as:
- Within Microsoft Azure we have our own instances of Nessus Professional and Kali Linux, which are used by the assessment team for external port enumeration and vulnerability assessments.
- Our Partner Portal is hosted within Azure where we store our product information and other service information, along with, client information, such as renewals due and some basic contact information.
- We host a VPN solution within Microsoft Azure which allows our assessment team to connect to the platform, as no services/systems are externally available.
- Microsoft 365 will be utilising Microsoft AzureAD for authentication services for any of our own employees and of course, any guests who have been provisioned with any shared access to files or data. Microsoft MFA solutions are also used and these will have employee contact details, including personal mobile phone data, required to authenticate users.
DATA: Within the assessment tools we will have data related to IP addresses and Website details for clients under assessment or within our vulnerability management solutions. Other data, such as last known users and domain names may also be present. Internally, contact details for AzureAD management, for our employees will also be recorded.
3rd Party Support Provision
We have no requirement for any third-party support or Managed Services Providers as our team are all experienced ICT and Security Professionals, with more than 10 years of experience each, within Managed Services and Direct Support Organisations. Therefore our support is provided internally via our own security team.
3rd Party Product Suppliers
Where we may, from time to time, provide other products and solutions which compliment our own products and services, we will only pass on to those providers, the contact details required for them to facilitate the contract required to deliver those services.
Our third-party providers may well request further details directly from you, in order to help deliver their specific services, however, these requirements will be addressed on a case-by-case basis.