01Who we are
Solusec Ltd is a company registered in England & Wales (Company No. 13352754), trading as Solusec. Our registered office is The Red House, Albrighton, WV7 3LU.
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, Solusec Ltd is the data controller in respect of personal data we collect about our website visitors, enquirers, clients, and prospective clients.
We are registered with the Information Commissioner's Office (ICO). Our registration reference is ZC103067 and our entry can be verified at ico.org.uk.
02Scope of this notice
This notice covers personal data we process when you:
- visit solusec.co.uk or any of its subdomains;
- contact us through our website, by email, phone, or on social media;
- engage us for professional services (penetration testing, incident response, consultancy, vulnerability management, VDP/BBP administration, threat intelligence);
- receive a report, assessment, or deliverable from us in the course of an engagement.
Where we act as a data processor on behalf of a client (for example, when triaging submissions for a client's vulnerability disclosure programme, or handling incident response data under instruction), we process personal data strictly in accordance with the client's written instructions and a data processing agreement. That activity is not covered by this notice in detail — it is governed by the underlying contract with the client.
03Personal data we collect
We limit the personal data we collect to what we actually need. Depending on how you interact with us, this may include:
| Category | Examples |
|---|---|
| Identity & contact | Full name, business email, phone number, employer / organisation, job title. |
| Enquiry content | The message you send via our contact form or by email, including any details you choose to share about your systems, incident, or requirements. |
| Engagement records | Statements of work, scoping information, authorised testing targets, rules of engagement, signed authorisations, invoices and purchase orders. |
| Technical data | IP address, user-agent, referral source, pages visited, approximate geolocation (from IP), timestamps. Collected via standard web-server logs. |
| Communications | Emails, call notes, meeting minutes, Signal/Slack/Teams messages (where you chose to use those channels with us). |
| Special category / sensitive data | We do not routinely collect special category data. Incident-response engagements may occasionally involve exposure to sensitive data belonging to the client or their users — this is handled under contract and strict access controls. |
04Lawful bases for processing
We rely on the following lawful bases under Article 6 UK GDPR:
- Contract (Art. 6(1)(b)) — to quote, scope, and deliver professional services you have engaged us for, and to manage our client relationship with you.
- Legitimate interests (Art. 6(1)(f)) — to respond to enquiries, maintain the security of our website and infrastructure, keep records of our engagements, and pursue or defend legal claims. We balance these interests against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)) — to comply with UK tax, accounting, anti-money-laundering, and other statutory requirements.
- Consent (Art. 6(1)(a)) — where required, for example if we ever send marketing communications to an individual subscriber; you can withdraw consent at any time.
05How we use your data
We use personal data to:
- reply to enquiries and provide quotes;
- scope, schedule, authorise, perform, and report on security engagements;
- issue invoices, accept payments, and keep accounting records;
- operate and secure our website, email, and collaboration tools;
- comply with professional standards and legal obligations;
- improve our services based on aggregated, non-identifying feedback.
We do not sell your personal data, and we do not use your data for automated decision-making or profiling that has legal or similarly significant effects on you.
06Who we share data with
We share personal data only where necessary and under appropriate safeguards. Our categories of recipients are:
- Sub-processors and service providers — reputable suppliers supporting our business, such as email & productivity (Microsoft 365 / Google Workspace), web hosting, document signing, accounting software, and secure messaging. Each is bound by written terms and confidentiality.
- Professional advisers — our accountants, insurers, and legal counsel where genuinely required.
- Authorities — where we are required by law (HMRC, law enforcement, regulators including the ICO).
- Clients — where you are a researcher submitting to a VDP/BBP we manage, or an individual named in an engagement deliverable, your information may be shared with the relevant client as part of triage or reporting, under contract.
We never share personal data with third parties for their own marketing purposes.
07International transfers
Some of the providers we use are based outside the UK (typically the EEA and the United States). Where personal data is transferred outside the UK we rely on one of the following safeguards required by UK GDPR:
- an adequacy decision from the UK government;
- the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses;
- where appropriate, binding corporate rules of the recipient.
Details of the specific safeguards used for a given transfer are available on request.
08Retention periods
We keep personal data only as long as we need it:
| Data | Retention |
|---|---|
| Unsuccessful enquiries | Up to 12 months, then deleted. |
| Client engagement records & reports | 7 years from end of engagement (for audit, insurance, and legal limitation periods). |
| Accounting & tax records | At least 6 years, per HMRC requirements. |
| Web-server logs | Up to 90 days in active storage; anonymised aggregates thereafter. |
| Marketing contact details (where opted in) | Until you unsubscribe or 24 months of inactivity, whichever is sooner. |
09How we protect your data
We are a cyber security company — we take this seriously. Our technical and organisational measures include, but are not limited to:
- full-disk and data-at-rest encryption on all endpoints and project storage;
- TLS for data in transit; enforced HTTPS on all public endpoints;
- strong authentication (phishing-resistant MFA) and role-based access controls;
- hardened, patched endpoints with EDR monitoring;
- separate, client-scoped project workspaces with need-to-know access;
- secure delivery of sensitive reports (encrypted channels; passphrase-protected documents);
- documented incident-response and breach-notification procedures;
- annual review of our information security posture.
Despite these controls, no system can be guaranteed 100% secure. If we become aware of a data incident involving your personal data, we will act in accordance with our breach-notification procedure (see section 12).
10Your rights
Under UK GDPR you have the right to:
- Be informed — this notice, and updates to it.
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete data, subject to legal retention obligations.
- Restrict processing — ask us to pause certain uses of your data.
- Data portability — receive certain data in a structured, commonly-used, machine-readable format.
- Object — object to processing based on legitimate interests or to direct marketing.
- Withdraw consent — where we rely on consent, withdraw it at any time.
- Not be subject to automated decision-making that has legal or similarly significant effects.
To exercise any of these rights, email info@solusec.co.uk. We will respond within one calendar month and may ask you to verify your identity first.
11Cookies & analytics
Our website uses the minimum necessary cookies to function. We do not set advertising cookies and we do not sell any data collected through our site.
If we use a privacy-respecting analytics tool (e.g. self-hosted Plausible or Matomo with IP anonymisation), it is configured to avoid cross-site tracking and is covered by our cookie banner where required.
You can control cookies via your browser settings at any time. Blocking strictly-necessary cookies may prevent some parts of the site from working.
12Breach notification
If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- notify the ICO within 72 hours of becoming aware, where required;
- inform affected data subjects without undue delay where the risk is high;
- provide a clear summary of what happened, what data was involved, the likely consequences, and the measures we are taking.
13Children's data
Our services are directed at organisations, not children. We do not knowingly collect personal data from children under 13. If you believe we have received data from a child, please contact us and we will delete it.
14Changes to this notice
We may update this notice from time to time to reflect changes to our practices, services, or the law. The "Last updated" date at the top of the page will always show when the notice was last revised. Material changes will be brought to your attention where appropriate.
15Contact & complaints
If you have any questions about this notice, how we handle your data, or you'd like to exercise your rights, please contact:
Solusec Ltd
The Red House, Albrighton, WV7 3LU
Email: info@solusec.co.uk
ICO registration: ZC103067
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would, however, appreciate the chance to address any concerns before you approach the ICO.