Privacy Policy

Preamble

This is the Hacking-Lab (HL) Privacy Policy, hereby referred as: https://www.hacking-lab.com/privacy. Compass Security Network Computing AG (CSNC) is the owner of Hacking-Lab AG. The owner will be referred as CSNC.

1 Introduction

This Policy details our commitment to protecting the privacy of individuals who visit this website (“Website Visitors”), and individuals who use the Hacking Lab platform on any service on *.hacking-lab.com. The Hacking-Lab platform is used to host and run various online cyber security events, cyber security trainings, capture-the-flag competitions, and hands-on training labs. Hacking-Lab is running these events on-behalf of the customer (organizer) and these are hereby referred as “HL events”. Compass Security Network Computing AG (CSNC) is the owner of Hacking-Lab AG. The owner will be referred as CSNC.

2 Scope Of This Policy

In addition to the Websites that link to this Policy, this Policy applies to the following:

  • Hacking Lab Cyber Range: *.hacking-lab.com / *.hacking-lab-ctf.com
  • CSNC Websites: *.compass-security.com, *.csnc.ch
  • CSNC Mobile Applications ("Apps"): HackyEaster / ConFoxy, Filebox Client and other Apps provided by CSNC
  • CSNC Filebox Solution: *.filebox-solution.com

In this Policy, personal information means information relating to an identified or identifiable natural person. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, and online identifier or to one or more factors specific to his/her physical, physiological, genetic, mental, economic, cultural or social identity. The use of information collected through our Service shall be limited to the purpose of providing the Service for which the Subscribers has engaged.

Our Websites may contain links to other websites and the information practices and the content of such other websites are governed by the privacy statements of such other websites. We encourage you to review the privacy statements of any such other websites to understand their information practices.

Account Information (as defined below) and other information we collect in connection with your registration or authentication into our Services (as defined below) is covered by this Policy. The security and privacy practices, including how we protect, collect, and use electronic data, text, messages, communications or other materials submitted to and stored within the Services by You (“Service Data”), are detailed by this Privacy Policy. If a Subscription Agreement, or other applicable agreement/contract between you and any member of the CSNC Group relating to your access to and use of a specific Service (collectively referred to as the “Service Agreement”) has been agreed upon, this Service Agreement will overrule this Privacy Policy.

3 Information That You Provide To Us

Account and Registration Information:
We ask for and may collect personal information about you such as your name, address, phone number, email address, gender and birthdate information.

We refer to any information described above as “Account Information” for the purposes of this Policy. By voluntarily providing us with Account Information, you represent that you are the owner of such personal data or otherwise have the requisite consent to provide it to us.

Other Submissions:
We ask for and may collect personal information from you when you submit web forms on our Websites or as you use interactive features of the Websites, including, participation in surveys, contests, promotions, sweepstakes, requesting customer support, or otherwise communicating with us.

Attendee Information:
We ask for and may collect personal information such as your name, address, phone number and email address when you register for or attend a sponsored event or other events at which any member of the CSNC Group participates.

Mobile Application: When you download and use our Services, we automatically collect information on the type of device you use, and operating system version. These data is collected by our Apps (in addition to the "Account Information"):

  • Hacky-Easter: Score, Solutions
  • ConFoxy: Photos and comments
  • Filebox Client: File content as exchanged by the FileBox owners and communication partners

4 Information That We Collect From You on our Websites

Cookies and Other Tracking Technologies:
We may use cookies and other information gathering technologies for a variety of purposes. Specifically we are using Matomo with cookies to collect and analyse information about how you interact with our websites (web analytics), and to recognize and stop any misuse. These technologies may provide us with personal information, information about devices and networks you utilize to access our Websites, and other information regarding your interactions with our Websites.

Analytics:
We collect analytics information when you use the Websites to help us improve them:

  • We use Matomo to track and process the following personal data: Cookies, Anonymised IP address, User ID, Dimensions, Variables, Pages visited, browser and device used, mouse movements, anonymised key strokes, and more (As described here https://matomo.org/matomo-cloud/). Once the data is processed (number of visitors reaching a not found pages, viewing only one page…), Matomo is generating reports to take action, for example changing the layout of the pages, publishing some fresh content…
  • Hacking-Lab uses Hacking-Lab Analytics based on browser fingerprinting technologies for fraud detection. Hacking-Lab stores IP-addresses, nicknames, usage times, browser and operating system properties.

Without the data, we would not be able to provide you the service we are currently offering to you. Your data will be used only to improve the user experience on our website and help you find the information you are looking for.

Logs:
As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when you interact with our Websites and Services. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, information you search for, locale and language preferences, identification numbers associated with your devices, your mobile carrier, and system configuration information.

5 Information Collected From Other Sources

Social Media Buttons:
Our Websites provides a link to social media websites like Facebook or Twitter. We do not use Social Media Plugins. Your interactions with these features are governed by the privacy statement of the companies that provide them.

6 How We Use Information That We Collect

General Uses:
We may use the information we collect about you (including personal information, to the extent applicable) for a variety of purposes, including to (a) provide, operate, maintain, improve, and promote the Services; (b) enable you to access and use the Services; (c) process and complete transactions, and send you related information, including purchase confirmations and invoices or job advertisements; (d) send transactional messages, including responses to your comments, questions, and requests; provide customer service and support; and send you technical notices, updates, security alerts, and support and administrative messages; (e) process and deliver contest entries and rewards; (f) monitor and analyze trends, usage, and activities in connection with the Websites and Services and for marketing or advertising purposes; (g) investigate and prevent fraudulent transactions, unauthorized access to the Services, and other illegal activities; and (h) for other purposes for which we obtain your consent.

If we send you promotional communications, such as providing you with information about products and services, features, surveys, newsletters, offers, promotions, contests, and events; and provide other news or information about us and our partners, we will ask you for your explicit consent (dual opt-in or similar method) before we will do so. You can opt-out of receiving marketing communications from us by contacting us at privacy@compass-security.com or following the unsubscribe instructions included in our marketing communications.

Legal Basis for Processing:
We collect personal information from you only where: (a) we have your consent to do so, (b) where we need the personal information to perform a contract with you (e.g. to deliver the CSNC Services you have requested), or (c) where the processing is in our or a third party’s legitimate interests based on the GDPR. In some cases, we may also have a legal obligation to collect personal information from you.

Where we rely on your consent to process the personal information, you have the right to withdraw or decline your consent at any time. Please note that this does not affect the lawfulness of the processing based on consent before its withdrawal.

If we rely on our legitimate interest or that of a third party for data processing, you have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. Unless we have compelling legitimate grounds for the processing or the processing serves the establishment, exercise or defense of legal claims, we will no longer process your data.

If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our (or a third party’s) legitimate interests which are not already described in this Notice, we will make clear to you at the relevant time what those legitimate interests are.

If you have any questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided further below in Section 16.

7 Sharing Of Information Collected

Third-Party Service Providers:
Metanet: We host some of our webservers at Metanet (Metanet, Josefstrasse 218, CH-8005 Zürich). We use the service "Server Housing". This means, the provider does not have access to personal information stored on our servers.

OST: Ostschweizer Fachhochschule, Oberseestrasse 10, 8640 Rapperswil (https://www.ost.ch), a public Swiss university with a strong background in information security is hosting our HL Cyber Range. They are a IaS-Provider operating the Hacking-Lab infrastructure whereas the Hacking-Lab platform itself is operated by Hacking-Lab itself.

Canvas Credentials: We use Canvas Credentials to issue electronic certificates that you receive from us after successfully completing a course. Canvas Credentials is a service offered by INSTRUCTURE, 6330 South 3000 East Suite 700 Salt Lake City, UT 84121 USA.

Sendowl: We use Sendowl as an online service provider for sales processing. The order is recorded, payments are processed through various payment providers (Stripe) and necessary data for the realisation of the order is processed.

Stripe: We use Stripe as an online service provider providing debit and credit card processing as a service. All account information is stored by Stripe.

Atlassian Corporation Plc: We use products from Atlassian (Atlassian. Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia) to communicate with registered and non-registered users, e.g. Jira Service Management, Jira Work Management, Jira Software, Confluence for support management, project management, issue tracking, BugBounty Services and documentation. In this context, a transfer of data to other countries in which Atlassian offers services (e.g. USA) cannot be excluded. More detailed information on data processing by Atlassian can be found here: https://www.atlassian.com/legal/privacy-policy

Newsletter Service: We use the European mail delivery service "Sendinblue" to send our newsletters (www.sendinblue.com). This service is GDPR compliant and has entered into a data processing agreement with us, you can find more information here: https://www.sendinblue.com/gdpr/. By subscribing to the newsletter, you have to accept Sendinblue's terms and conditions for processing your data. The use of the newsletter service is independent of this website.

Matomo Cloud: We are using Matomo Cloud to collect and analyse information about how you interact with our websites (web analytics), and to recognize and stop any misuse. The personal data received through Matomo is sent to our Company and our service provider: InnoCraft, 7 Waterloo Quay PO625, 6140 Wellington, New Zealand. Matomo data is hosted in Frankfurt, Germany. All data and backups of Matomo Cloud are securely stored in Europe. This service is GDPR compliant and has entered into a data processing agreement with us, the privacy policy of Matomo Cloud can be found here: https://matomo.org/matomo-cloud-privacy-policy/.

Compliance with Laws and Law Enforcement Requests; Protection of Our Rights:
In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet law enforcement requirements. We may disclose personal information to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Agreement, or as otherwise required by law.

Community Forums:
The Websites may offer publicly accessible blogs, community forums, comments sections, discussion forums, or other interactive features (“Interactive Areas”). You should be aware that any information that you post in an Interactive Area might be read, collected, and used by others who access it. To request removal of your personal information from an Interactive Area, contact us at privacy@compass-security.com. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why.

CSNC Group Sharing:
We may share information, including personal information, with any member of the CSNC Group.

With Your Consent:
We may also share personal information with third parties when we have your consent to do so.

8 International Transfer Of Information Collected

CSNC and Hacking-Lab are based in Switzerland. We operate globally. We store personal information about Website Visitors and Subscribers in Switzerland or in member countries of the EU or in Canada. To facilitate our global operations, we may transfer and access such personal information from around the world, including from other countries in which the CSNC Group has operations for the purposes described in this Policy. We may also transfer your personal information to our third party subprocessors as in section 7, who may be located in a different country to you. However, we only process your personal data in countries which are part of the EU or apply the same level of data protection as defined in the GDPR.

Whenever CSNC shares personal information with a CSNC entity it will do so on the basis of its CSNC Binding Data Protection Rules which establish adequate protection of such personal information and are legally binding on the CSNC Group.

If you are visiting our Websites please note that you are agreeing to the transfer of your personal information to the jurisdictions in which we operate. By providing your personal information, you consent to any transfer and processing in accordance with this Policy.

9 Communications Preferences

We offer those who provide personal contact information a means to choose how we use the information provided. You may manage your receipt of marketing and non- transactional communications by clicking on the “unsubscribe” link located on the bottom of our marketing emails or you may send a request to privacy@compass-security.com.

10 How Long We Retain Your Personal Information:

We will retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy unless you object to the processing beforehand or withdraw your consent, unless a longer retention period is required or permitted by law (e.g. for tax, accounting or other legal reasons). If we no longer have a legitimate business need to process your personal data, we will delete it. If this is not possible (e.g. because your personal data has been stored in backup archives), we will store your personal data securely and exclude it from any further processing until deletion is possible.

11 Your Privacy Rights

The security of your personal information is important to us. We follow the GDPR standards to protect the personal information submitted to us. If you have any questions about the security of your personal information, you can contact us at privacy@compass-security.com.

Upon request we will provide you with information about whether we hold, or process personal information about you. To request this information please contact us privacy@compass-security.com.

In addition, you will have the following rights:

  • Right of erasure: You have a right to erasure of personal information that we hold about you – for example, if it is no longer necessary in relation to the purposes for which it was originally collected. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations.
  • Right to object to processing: You have the right to request that CSNC stop processing your personal information and/or to stop sending you marketing communications.
  • Right to restrict processing: You have the right to request that we restrict processing of your personal information in certain circumstances (for example, where you believe that the personal information we hold about you is inaccurate or unlawfully held).
  • Right to data portability: In certain circumstances, you may have the right to be provided with your personal information in a commonly used format and to request that we transfer the personal information to another data controller without hindrance.

To make a request to have personal information maintained by us returned to you or removed, please email us. Requests to access, change, or remove your information will be handled within thirty (30) days.

If you would like to exercise such rights, please contact us at the contact details in Section 16 below. We will consider your request in accordance with applicable laws. To protect your privacy and security, we may take steps to verify your identity before complying with the request.

You also have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

12 Children’s Personal Information

We do not knowingly collect any personal information from children. We encourage parents and legal guardians to monitor their children’s Internet usage and to help enforce this Policy by instructing their children never to provide personal information through the Websites or Services without their permission. If you have reason to believe that a child under the age of 14 has provided personal information to us through the Websites or Services, please contact us at privacy@compass-security.com and we will use commercially reasonable efforts to delete that information.

13 Business Transactions

We may assign or transfer this Policy, as well as your account and related information and data, including any personal information, to any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.

14 Supplemental Terms and Conditions for Certain Regions

Canada:
Personal information (as the term is defined in the Personal Information Protection and Electronic Documents Act of Canada (“PIPEDA”)) will be collected, stored, used and/or processed by the CSNC Group in compliance with the CSNC Group’s obligations under PIPEDA.

15 Changes To This Policy

If there are any material changes to this Policy, you will be notified by our posting of a prominent notice on the Websites prior to the change becoming effective. Based on the severity and impact on your personal rights, your consent might be required for certain changes. In this case, we will notify you and ask for your consent.

In cases of minor changes which do not have an impact on your privacy, we will announce the changes on the websites. We encourage you to periodically review this page for the latest information on our privacy practices. Your continued use of the Websites or the Services constitutes your agreement to be bound by such changes to this Policy. Your only remedy, if you do not accept the terms of this Policy, is to discontinue use of the Websites and the Services.

16 Contact Us

If you have questions regarding this Policy or about the CSNC Group’s privacy practices, please contact us by email at privacy@compass-security.com, or at:

Compass Security Network Computing AG Werkstrasse 20 CH-8645 Jona Phone: +41 58 510 36 00

17 Choice of Law/Forum Selection

This Privacy Policy shall be subject to and construed in accordance with Swiss law.
The exclusive place of jurisdiction for disputes arising from the Use of Terms is Rapperswil-Jona, Canton of St Gallen (Switzerland).

Version

Hacking-Lab Privacy Policy, January 25th, 2024, Version 1.3