Privacy Policy & Security Standards
Effective Date: July 8, 2026. This document details how CyberSton collects, secures, processes, and disposes of personal data and server environment credentials.
1. Regulatory Compliance Framework
CyberSton operates in compliance with international privacy regulations, including the General Data Protection Regulation (GDPR) (EU/UK), the California Consumer Privacy Act (CCPA/CPRA), and other applicable regional data protection statutes. We act as a Data Processor when handling your website databases and server environments, and as a Data Controller regarding the billing and contact details you submit directly to our application.
2. Information We Collect & Data Classifications
We classify the data we collect into three distinct categories:
- Account and Contact Data (Controller Scope): Name, email address, preferred messenger handle (WhatsApp, Telegram, or Viber), and business billing details. This data is collected to establish communication and manage invoice payments.
- Diagnostic and System Metrics (Processor Scope): Affected website URLs, error log extracts, server configuration details, and description of outage events submitted via our Quote Questionnaire.
- Network Logs and Cookies: IP addresses, browser user agent strings, and security cookies used to validate active user sessions, prevent Cross-Site Request Forgery (CSRF) exploits, and persist interface states (e.g., dismissing lead callback popups).
3. Enterprise-Grade Credential Protection & Purge Protocol
Resolving critical incidents (e.g., database repair, malware extraction, PHP upgrades) requires temporary administrative access to your servers, CMS, databases, or FTP systems. To secure this sensitive data, we implement a strict **Credential Quarantine and Disposal Standard**:
Credential Security Standard Operating Procedure:
- Transit Encryption: All passwords and access tokens submitted are encrypted in transit using industry-standard TLS 1.3 cryptographic suites.
- Isolation: Credentials are only accessible to the specific certified security engineer assigned to the incident. They are never cached or logged in plain-text support logs.
- Purge Routine: Within twenty-four (24) hours of marking an inquiry as "Resolved" or "Closed," all credentials, temporary codes, and access details are permanently deleted from our active workspaces.
- Rotation Mandate: Clients are legally required to change all shared passwords (FTP, database, hosting control panels, and CMS admins) immediately upon receiving the final incident report. CyberSton disclaims all liability for breaches resulting from unchanged credentials.
4. Third-Party Data Processors
We coordinate with specialized third-party services to maintain secure hosting infrastructure and billing compliance. These include:
- Stripe, Inc.: Used to process invoice payments securely. Card details are processed directly on Stripe's PCI-DSS Level 1 compliant infrastructure. CyberSton does not store, view, or transmit card numbers.
- Database Hosting & Infrastructure: Local environment data and client records are stored on secure cloud nodes configured with active firewalls, rate limiting, and routine off-site database backups.
5. Data Retention & Preservation Policy
Unless otherwise requested, personal contact details, incident descriptions, and invoices are retained for legal audit, tax, and accounting compliance purposes for a period of up to five (5) years from the transaction date. Log files, IP details, and transient network cookies are purged within ninety (90) days.
6. Your Rights Under GDPR & CCPA
Depending on your jurisdiction, you possess the following rights regarding your personal data:
- The Right to Access & Portability: Request a structured extract of all personal contact records held.
- The Right to Erasure ("Right to be Forgotten"): Request complete deletion of your diagnostic inquiries and contact history.
- The Right to Rectification: Ask us to update incorrect billing details, email addresses, or messenger contacts.
To exercise these rights, please submit a request to our compliance officer at [email protected]. We will process verified requests within thirty (30) calendar days.