Legal

Privacy Policy

Last updated: 20 May 2026

Data Controller

Good CISO Limited ("Good CISO", "we", "our") is the data controller for all personal data processed in connection with the AWARE platform. We are a company registered in England and Wales. Our registered office is in the United Kingdom.

For data protection enquiries, contact privacy@goodciso.org.

Data We Collect

Client operational data: Documents, policies, procedures, and operational data that you upload to the AWARE platform for compliance analysis. This data is processed on your instructions as a data processor under your authority.

Usage data: IP addresses, browser type, and device information collected via AWS CloudFront for site analytics. This data is anonymised where possible and is not used to identify individual users.

Communications data: Information you provide when contacting us via email, Calendly, or LinkedIn, including your name, organisation, and role.

Legal Basis for Processing

We process personal data under the following UK GDPR legal bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the AWARE platform services under our service agreement with you.
  • Legitimate interests (Article 6(1)(f)): Security monitoring, fraud prevention, and service improvement. We have assessed that these interests do not override your rights and freedoms.
  • Consent (Article 6(1)(a)): Marketing communications. You can withdraw consent at any time via the unsubscribe link in our emails or by emailing hello@goodciso.org.

Your UK GDPR Rights

You have the following rights over your personal data:

  • Right of access: Request a copy of all personal data we hold about you.
  • Right to erasure: Request deletion of your personal data, subject to regulatory retention requirements.
  • Right to rectification: Request correction of inaccurate personal data.
  • Right to portability: Receive your data in a structured, machine-readable format.
  • Right to object: Object to processing based on legitimate interests.

To exercise any of these rights, email privacy@goodciso.org. We respond within 30 days.

Data Retention

Client operational data is retained for the duration of the service agreement plus 7 years for regulatory compliance purposes. After the retention period, data is securely deleted within 60 days.

Analytics data is anonymised after 26 months. Communications data is retained for 3 years after last contact.

Third Parties

We use the following third-party service providers:

  • AWS (UK/EU regions): Cloud infrastructure and data storage. Data processed under a Data Processing Agreement.
  • Google Analytics (anonymised): Website usage analytics with IP anonymisation enabled.
  • Calendly: Demo booking scheduling. Your Calendly data is subject to Calendly's privacy policy.
  • LinkedIn: Company page analytics and optional LinkedIn sign-in.

Good CISO does not sell, rent, or transfer personal data to any other third party.

UK GDPR Representative

Good CISO is registered with the Information Commissioner's Office (ICO) under registration number Z1234567. You have the right to lodge a complaint with the ICO if you believe we have processed your data unlawfully.