Privacy Policy
Last updated: 29 June 2026
Who We Are
Good CISO Limited is the UK company that maintains AWARE, the open-source security control plane for autonomous AI agents. The framework is Apache 2.0; this notice covers the data we hold as the project's maintainer and as a UK limited company.
Company: Good CISO Limited
Company number: [Companies House number]
Registered address: [Registered office address]
Contact: privacy@goodciso.org
We are the data controller for the personal data we process. We do not process customer data on behalf of others as a data processor.
What Personal Data We Collect and Why
We only collect the personal data we need to run our business. We do not collect unnecessary data and we do not sell personal data.
Staff Administration (Our Employees)
What: Name, address, date of birth, National Insurance number, bank details, salary, tax code, employment history.
Why: To pay salaries and meet our legal obligations as an employer.
Lawful basis: Contract performance and legal obligation.
Retention: 6 years after employment ends (HMRC requirement).
Marketing and Business Development
What: Name, job title, company, email, phone number, LinkedIn profile, interaction history.
Why: To share AWARE updates, framework releases, and security research with people who have asked to hear from us, and to maintain professional relationships.
Lawful basis: Legitimate interests (business development).
Retention: 2 years from last interaction, or until you ask us to stop.
Accounts and Records
What: Name, company name, address, bank details, payment history.
Why: To invoice for our services and meet legal accounting obligations.
Lawful basis: Legal obligation (tax and accounting).
Retention: 6 years (HMRC requirement).
Website Visitors
What: Information you provide through our contact form (name, email, message). Technical information to serve the website (IP address, browser type).
What we do NOT collect: We do not use analytics cookies that identify you. We do not track your browsing behaviour across other websites.
Lawful basis: Contract preliminaries (contact form); legitimate interests (website security).
Retention: Contact form submissions: 1 year. Technical logs: 30 days.
How We Keep Your Data Secure
- Encryption: All data transmitted over HTTPS/TLS.
- Access control: Only authorised individuals can access personal data.
- Cloud security: Infrastructure runs on AWS with industry-standard controls.
- No unnecessary sharing: We do not sell or transfer your data to third parties unless required by law.
- Note on AWARE users: AWARE is open-source software. Data you put through a self-hosted AWARE deployment is processed by your own infrastructure, not ours. This notice does not cover that data — see your own privacy controls.
Who We Share Data With
We only share personal data when necessary:
- HMRC: Tax and payroll compliance (employee data).
- Accountant: Financial accounts (financial records).
- Pension provider: Employee pensions (employee data).
- AWS / CloudFlare: Website hosting and security (technical logs).
- LinkedIn: Professional networking (public profile data).
We have data processing agreements in place with our service providers where required.
Your Rights
You have rights over your personal data:
- Access: See what data we hold about you.
- Rectification: Correct inaccurate data.
- Erasure: Ask us to delete your data.
- Restriction: Ask us to pause processing.
- Portability: Receive your data in a standard format.
- Objection: Object to our processing.
Contact for all requests: privacy@goodciso.org
Response time: We respond within one month. Complex requests may take up to three months.
No automated decision-making: We do not use automated systems to make decisions about you.
How to Complain
If you are unhappy with how we handle your data:
Good CISO Limited: privacy@goodciso.org
Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113
Address: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ICO Registration
Good CISO Limited is not required to register with the ICO because our processing of personal data falls within statutory exemptions (staff administration, advertising/marketing for our own business, and accounts/records). We do not process customer data.
We are still fully committed to complying with UK GDPR and protecting your privacy.
Changes to This Notice
We may update this privacy notice from time to time. The latest version will always be available at goodciso.org/privacy.
Last updated: 29 June 2026 | Next review: 29 June 2027