This Privacy Policy explains how DATA TRAIL processes personal data in accordance with the General Data Protection Regulation (GDPR), the Network and Information Security Directive (NIS2), and applicable national data protection laws. We are committed to safeguarding the privacy and security of personal data.

1. Who We Are

DATA TRAIL provides first incident response, cybersecurity crisis management, and NIS2 compliance services for B2B clients. We act as a data controller with respect to certain personal data processed in connection with our services.

2. Categories of Personal Data We Process

We may collect and process the following categories of personal data:

• Identification data (name, surname, job title)
• Contact details (email address, phone number)
• Professional details (company name, department)
• Technical information (IP address, log data, system identifiers)
• Incident-related information (relevant logs, access records, investigation details)
• Network and System Data (network logs, endpoint data, server information and/or configuration data) and additional information such as but not limited to Authentication and Access Control Data or Communication records, information about Insurance Policy or business continuity plans.

The goal is to reconstruct the attack timeline, identify the threat vector, and preserve evidence for possible legal or compliance purposes.

3. Legal Basis for Processing

Our processing of personal data is based on the following legal grounds:

Under the GDPR

• Article 6(1)(b) — performance of a contract.
• Article 6(1)(c) — processing is necessary for compliance with a legal obligation to which the controller is subject (e.g., reporting breaches to authorities under GDPR Articles 33–34 and NIS2 Articles 23–30).
• Article 6(1)(f) — legitimate interest in ensuring the security, integrity, and resilience of network and information systems.
• Article 9(2)(f) — where special categories of data are involved, processing necessary for the establishment, exercise, or defence of legal claims.

Under the NIS2 Directive

• Article 21(2) — obligation to adopt appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks.
• Article 23–26 — obligation to detect, handle, and notify incidents to competent authorities and affected entities.
• Article 30 — obligation to maintain records and cooperate with supervisory and regulatory authorities during compliance assessments and audits.

4. Purposes of Processing

In a cyberattack crisis or an incident response situation, time is of the essence. We know. Therefore, in general, we do not require access to personal data or confidential information of the client organization; however, due to the specificity of our services, access to sensitive information is inherent. Therefore, we request specific access to data and confidential information in order to provide our services in the shortest possible time.

We process personal data for the following purposes:

• To provide incident management and cybersecurity services
• To ensure compliance with NIS2 requirements
• To investigate and mitigate cybersecurity incidents
• To communicate with clients and stakeholders
• To meet contractual and regulatory obligations

5. Data Sharing and International Transfers

Personal data may be shared with trusted partners, subcontractors, and competent authorities strictly for the purposes outlined in this Privacy Policy. Where data is transferred outside the EU/EEA, we ensure appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place.

6. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, and to comply with applicable legal, contractual, and regulatory requirements.

Personal data and related records processed in connection with a cybersecurity incident or data breach shall be retained only for as long as necessary to fulfill the purposes listed above.

• Operational and forensic data shall generally be retained for a period of up to 36 months after the closure of the investigation, unless legal obligations or ongoing proceedings require longer retention.
• Incident reports and regulatory correspondence shall be retained for a period of up to 6 years from the date of the incident, in line with limitation periods for potential legal claims or regulatory audits.
• Where data are no longer necessary for these purposes, they shall be securely deleted or anonymized in accordance with the requirements of our clients and in accordance with our clients' internal regulations and requirements. In case our clients provide no instructions in respect to data storage and retention, we will apply our Data Retention Policy terms.

6.1. Categories of Data Retained

Depending on the nature of the incident, the following categories of data may be retained:

• System and network logs, audit trails, and access records;
• Communications related to the breach (e.g., incident reports, authority notifications, correspondence);
• Affected user or employee identification data (where relevant for notification or investigation);
• Forensic and investigative records, including technical indicators, malware samples, or intrusion data;
• Evidence required to document decision-making and corrective actions.

7. Access and Security

Access to retained data shall be strictly limited to authorized personnel involved in cybersecurity, compliance, or legal functions. All retained records will be protected by appropriate technical and organizational measures in accordance with Article 32 GDPR, ensuring confidentiality, integrity, and availability.

8. Data Minimization and Review

DATA TRAIL applies the principle of data minimization (Article 5(1)(c) GDPR) and conducts regular reviews of stored incident-related data. Where retention is no longer justified, data will be irreversibly deleted or anonymized.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or disclosure. These include encryption, access controls, monitoring, and incident response procedures.

10. Rights of Data Subjects

Individuals have the following rights under GDPR:

• Right of access
• Right to rectification
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right not to be subject to automated decision making
• Right to object
• Right to lodge a complaint with a supervisory authority

11. Contact Information

For any questions or to exercise your rights, please contact us:

DATA TRAIL Address: Bucharest, 7th Turnu Magurele Street Email: hello[at]datatrail.eu Contact form: https://www.datatrail.eu/#contact

Last updated: June 2026