1. Introduction
CSFaaS is committed to protecting your privacy and ensuring the security of the data processed through our platform. This Privacy Policy explains how we collect, use, store, protect, and disclose (or refrain from disclosing) your data when you access or use our services ("Service"), including the web application, our websites, the CSFaaS API, and the CSFaaS MCP endpoint.
The Service is provided by Dark Protect Limited, a company registered under the laws of Malta, with its principal place of business at Level 5, St. Julians Business Centre, Elija Zammit Street, St. Julians, STJ3153, Malta, and registered with the Registrar of Companies (Malta) under number C108959.
For the purposes of this Policy, "CSFaaS" refers to Dark Protect Limited operating under the CSFaaS brand, and may be used interchangeably with "we," "us," or "our" throughout this document.
Where you or your organization submit data into a CSFaaS workspace, the organization operating that workspace generally acts as the data controller and CSFaaS acts as a data processor, processing that data on the controller's instructions. For account, billing, website, and platform-security data described below, CSFaaS acts as a data controller.
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree with the practices described herein, you should not use the Service.
2. Data Collection
We collect the following categories of data to provide, secure, bill, and improve the CSFaaS platform:
Account Information: Information provided during registration or account management, including your name, email address, company name, business contact details, login credentials, and authentication settings (such as whether multi-factor authentication is enabled).
Billing and Subscription Data: Billing contact details, subscription plan, seat counts, add-on selections, invoice history, and payment status. Payment card details are collected and processed directly by our payment processor and are never stored on CSFaaS systems (see Section 6).
Usage Data: Data generated through your interaction with the Service, such as configuration settings, audit and activity logs, user actions, system preferences, cybersecurity risk assessment inputs, and, when you use real-time collaboration features, transient presence signals (such as which page or element a workspace member is currently viewing or editing).
Sensitive and Submitted Data: Any personal, sensitive, confidential, or proprietary corporate data that you or your users voluntarily submit to the platform while using the Service for cybersecurity monitoring, compliance, or analysis purposes.
Note: While CSFaaS does not intentionally collect GDPR-defined "special categories of personal data," such data may be processed if submitted by you as part of the Service.
Invitation and Contact Data: When you invite someone to a workspace or share an object with them, we process the name and email address you provide about that person in order to deliver the invitation and manage their access.
API and Integration Data: When your organization uses the CSFaaS API or MCP endpoint, we process API key metadata (such as the key's name, assigned roles, and creation details) and request logs (such as endpoints called, timestamps, originating IP addresses, and response status) for authentication, security, rate limiting, audit, and abuse-prevention purposes.
Technical and Device Data: Data automatically collected from your device or browser when you access the platform, including your IP address, browser type and version, operating system, device identifiers, language settings, and referral URLs.
Communications: Information you provide when you contact us, request support, book a demonstration or meeting (including through third-party scheduling tools), or otherwise correspond with us.
3. Purpose of Data Processing
We process personal and corporate data for the following purposes, in accordance with applicable data protection laws and based on one or more legal bases, including contractual necessity, legitimate interest, and legal obligation:
To deliver and operate the Service: This includes account setup, authentication, access management, and service provisioning.
To manage subscriptions and billing: Including seat counting, plan and add-on administration, invoicing, payment collection through our payment processor, and the suspension or restoration of access in connection with payment status.
To maintain and improve the Service: Including feature development, performance optimization, bug fixes, and technical support.
To support cybersecurity risk management: Including data analysis, risk scoring, vulnerability monitoring, and compliance reporting tools.
To operate programmatic access: Including authenticating API keys, enforcing access scopes and rate limits, and maintaining security and audit logs of API and MCP activity.
To communicate with you: Such as service updates, security alerts, administrative messages, and user support.
To ensure platform security and prevent misuse: Including fraud prevention, unauthorized access monitoring, incident response, and abuse detection.
To comply with legal and regulatory obligations: Including data retention requirements, audit readiness, anti-money laundering (AML) compliance, tax obligations, and lawful requests from competent authorities.
4. Cookies and Similar Technologies
We use cookies and similar technologies (such as local storage) to operate and secure the Service. These fall into the following categories:
Strictly Necessary: Cookies required for authentication, session management, security (including multi-factor authentication and fraud prevention), load balancing, and payment processing. The Service cannot function without them, and they do not require consent under applicable law.
Preferences: Cookies or local storage entries that remember your settings, such as language, theme, and interface preferences.
Analytics and Performance: Where used, measurement technologies that help us understand how the Service and our websites are used so we can improve them. Where required by applicable law, such technologies are only activated with your consent, which you may withdraw at any time.
You can manage or delete cookies through your browser settings. Blocking strictly necessary cookies will prevent parts of the Service (including sign-in) from working.
5. Data Hosting and International Transfers
Customer data stored in the platform's primary databases and file storage is hosted in secure, high-availability data centers located within the European Union (EU), and processing activities are designed to comply with the privacy and security standards set forth under the General Data Protection Regulation (GDPR).
Certain ancillary processing may involve carefully selected sub-processors that operate, in whole or in part, outside the European Economic Area (EEA); for example payment processing, transactional email delivery, network routing and content delivery, scheduling tools, and infrastructure supporting specific features.
Where personal data is transferred outside the EEA, we ensure the transfer is safeguarded in accordance with Chapter V of the GDPR, through mechanisms such as an adequacy decision by the European Commission, Standard Contractual Clauses (SCCs) approved by the Commission, or other legally recognized instruments that ensure an equivalent level of data protection, together with supplementary measures where appropriate.
By keeping primary data storage within the EU and controlling cross-border data flows through recognized safeguards, we maintain a high level of trust, data sovereignty, and regulatory compliance.
6. Payment Information
Payments for CSFaaS subscriptions and add-ons are processed by a third-party payment processor (currently Stripe). When you make a payment, your payment card details are transmitted directly to the payment processor and are never stored on CSFaaS systems. CSFaaS receives only limited payment metadata necessary to administer your subscription, such as payment status, the last digits and expiry of a card, invoice records, and billing contact details.
The payment processor acts as an independent controller for certain processing it carries out (such as fraud prevention and regulatory compliance) and processes your data in accordance with its own privacy policy, which we encourage you to review.
7. API, MCP and Connected AI Tools
CSFaaS allows workspace administrators to create scoped API keys and to connect third-party software, including AI assistants and agents over the Model Context Protocol (MCP), to their workspace data.
When you or your organization connect such a tool, workspace data returned through the API or MCP endpoint is transmitted, at your direction, to the third-party tool and provider that you selected. That provider processes the data under its own terms and privacy policy, outside of CSFaaS's control. CSFaaS is not responsible for how a third-party tool or AI provider stores, uses, retains, or further processes data you choose to send it, including any use for model training. We strongly recommend reviewing your provider's data-handling terms before connecting it to a workspace containing personal or confidential data.
For security and accountability, CSFaaS logs API and MCP requests (including key identity, endpoints accessed, timestamps, and originating IP addresses) and retains these logs for audit and abuse-prevention purposes. Workspace administrators can review keys, restrict their scope through role assignment, revoke individual keys, or disable API access for a workspace entirely at any time.
8. Data Retention and Deletion
8.1 Retention Period
We retain personal and corporate data only for as long as necessary to deliver the Service, fulfill contractual obligations, and comply with applicable legal or regulatory requirements. Backup archives are securely maintained for a period of one (1) year to support disaster recovery and business continuity operations. Billing and invoicing records are retained for the period required by applicable tax and accounting law.
8.2 Activity and Audit Logs
Activity, audit, and API request logs are retained for the life of the relevant workspace for security, integrity, and accountability purposes. The history window visible within the Service may depend on your subscription plan and add-ons; a shorter visible window does not mean the underlying records have been deleted.
8.3 Demonstration Workspaces
Demonstration workspaces pre-filled with fictitious sample data may be removed by CSFaaS, including automatically after extended periods of account inactivity or when you choose to leave them. Content placed in a demonstration workspace should not be treated as durably retained.
8.4 Deletion Requests
You may request the deletion of specific personal or corporate data at any time. Upon receipt of such a request, CSFaaS will delete the identified data from active systems and prevent further processing, subject to legal retention obligations. Data residing in backup archives will remain inaccessible and will be securely purged after the one-year retention period, in accordance with our internal data retention policies and applicable laws.
8.5 Account Termination
Upon termination of your account, either by you or by CSFaaS, your data will be either permanently deleted or irreversibly anonymized, in accordance with applicable data protection laws and retention obligations. You are responsible for exporting any data you wish to keep before termination.
9. User Rights and Data Access
In accordance with the General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:
Right of Access: You have the right to request confirmation of whether we process your personal data and, if so, to access that data and obtain a copy.
Right to Rectification: You have the right to request the correction of inaccurate or incomplete personal data concerning you.
Right to Erasure ("Right to be Forgotten"): You may request the deletion of your personal data, subject to our legal obligations or overriding legitimate interests (e.g., fraud prevention, regulatory compliance).
Right to Restrict Processing: You may request the restriction of processing where you contest the accuracy of the data, object to the processing, or believe the processing is unlawful and you oppose erasure.
Right to Data Portability: Where processing is based on consent or contract and carried out by automated means, you may request that we provide your data in a structured, commonly used, and machine-readable format for transmission to another controller.
Right to Object: You may object, on grounds relating to your particular situation, to the processing of your personal data where the legal basis is our legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds to continue.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing carried out before the withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, in particular the Office of the Information and Data Protection Commissioner (IDPC) in Malta or the supervisory authority of your habitual residence or place of work.
Where your personal data was submitted into a workspace operated by a customer organization, that organization is generally the data controller for it. In that case we may refer your request to the relevant organization and will assist it in responding, in accordance with our role as processor.
To exercise any of the above rights, please contact our Data Protection Team at [email protected]. We may require verification of your identity before processing your request. We will respond within the timeframes prescribed by applicable law, typically within one (1) month.
10. Data Sharing and Disclosure
CSFaaS does not sell or rent your personal or corporate data to third parties for direct marketing purposes.
However, we may use aggregated, anonymized, or statistical data derived from customer usage patterns to help third parties understand business trends, customer segments, or market insights. This information may be used to support audience-based advertising, business intelligence, or industry benchmarking, but it does not contain any data that identifies you or your organization personally.
We may also disclose your data under the following specific circumstances:
To Authorized Service Providers: We work with carefully selected third-party vendors who support the operation and delivery of our Service, in categories such as cloud hosting and databases, payment processing, transactional email delivery, network and content delivery, scheduling, and monitoring. These providers act under our instructions (except where they are independent controllers, such as our payment processor) and are contractually obligated to protect your data. A list of sub-processors is available upon request.
At Your Direction: When you connect a third-party tool to your workspace (including an AI assistant over the API or MCP endpoint, as described in Section 7), export data, or use a sharing feature, we disclose the relevant data to the recipient you designated. Such disclosures are made at your instruction and are governed by the recipient's own terms.
As Required by Law: We may disclose your data to comply with legal obligations, regulatory inquiries, court orders, or lawful requests from government authorities.
In Connection with Business Transfers: If CSFaaS is involved in a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the acquiring entity, subject to appropriate confidentiality and data protection obligations.
To Protect Rights and Safety: We may disclose data when necessary to enforce our Terms of Use, investigate potential violations or security incidents, or protect the rights, property, or safety of CSFaaS, our users, or others.
11. Incident Response and Breach Notification
CSFaaS takes the security of your data seriously and is committed to responding promptly to any suspected or confirmed data breaches.
In the event of a security incident, CSFaaS will make reasonable efforts to contain and investigate the issue and to comply with applicable legal requirements. If it is determined that a breach has occurred that may impact your data, CSFaaS will notify affected users as soon as practicable, providing relevant information about the nature of the incident and the actions being taken in response.
The relevant data protection authority will be informed if the incident meets the applicable legal thresholds for reporting. Where CSFaaS acts as a processor, it will notify the affected customer (as controller) without undue delay so the customer can meet its own notification obligations.
12. Ongoing Security and Compliance Efforts
CSFaaS is committed to the continuous improvement of its security posture and information governance practices. We are actively working toward ISO/IEC 27001 compliance, an internationally recognized standard for information security management systems (ISMS).
Our technical and organizational measures include encryption of data in transit, workspace-level access isolation enforced at the database layer, role-based access controls, optional multi-factor authentication for user accounts, scoped and revocable API keys, and security logging of account and API activity.
Our ongoing efforts include regular risk assessments, internal security reviews, and incremental enhancements to our technical and organizational controls. These efforts are designed to strengthen the confidentiality, integrity, and availability of the data we process.
While we do not publicly disclose detailed elements of our security architecture for operational security reasons, please be assured that we follow recognized industry best practices and are continually updating our infrastructure, procedures, and policies to help protect your data against evolving threats.
13. Liability and Disclaimers
CSFaaS shall not be held responsible for any unauthorized access to data resulting from circumstances beyond our reasonable control, including but not limited to acts of third parties, force majeure events, failures in external infrastructure, or your own disclosure of data to third-party tools connected at your direction.
To the maximum extent permitted by law, CSFaaS disclaims all liability for indirect, incidental, special, or consequential damages arising from or related to your use of the Service, including but not limited to loss of profits, business interruption, loss of data, or reputational harm.
You acknowledge that, despite the implementation of robust technical and organizational security measures, no system can be guaranteed to be completely secure. Accordingly, you agree that CSFaaS's liability, if any, shall be strictly limited in accordance with the provisions set out in our Terms of Use.
14. Updates to the Privacy Policy
We reserve the right to update or modify this Privacy Policy at any time to reflect changes in our practices, legal obligations, or the functionality of the Service. If we make material changes, we will provide notice by updating the version on our website and, where appropriate, by notifying you via email or through the Service interface.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service following the publication of any updates constitutes your acceptance of the revised Privacy Policy.
15. Contact Information
For any questions, concerns, or requests related to this Privacy Policy or the processing of your data, please contact our Data Protection Team:
CSFaaS Data Protection Team
Email: [email protected]
Address: Level 5, St. Julians Business Centre, Elija Zammit Street, St. Julians, STJ3153, Malta.
Please review this Privacy Policy carefully. Your continued use of the CSFaaS platform indicates your agreement with these privacy practices.