Coinnect Cynapsi EASM and TPRM is a cyber-risk intelligence solution. It helps customers understand externally visible digital assets, exposures, vulnerabilities, misconfigurations, security signals and third-party cyber risk.  

· Coinnect primarily provides intelligence to customers. The external technical and security data in the Solution is mainly collected, enriched or generated by Coinnect through external intelligence, observation and analysis of publicly accessible or externally reachable digital assets.  

· Customers usually provide seed identifiers only. Typical customer inputs include organization names, domains, subsidiaries, supplier names, supplier domains and, where relevant, optional IP addresses or IP ranges.  

·  Customers are not expected to upload internal security data. The Solution does not require internal network logs, incident files, credentials, source code, business content, employee files, customer records or sensitive personal data.  

·   We process personal data only where necessary. Personal data may be processed to operate the Solution, manage accounts, provide support, secure our services, comply with law and communicate with customers.

1. Who we are
Coinnect SA, via Penate 16, 6850 Mendrisio, Switzerland ("Coinnect", "we", "us" or "our") provides External Attack Surface Management ("EASM") and Third-Party Risk Management ("TPRM") solutions to business customers. This Privacy Policy explains how we collect, use, disclose, protect and retain personal data in connection with the Coinnect EASM and TPRM Solution, our related services, customer support and business communications. It is intended for international business customers, their authorized users and individuals whose personal data may be processed in connection with the Solution. This Policy should be read together with the applicable contract, order, data processing addendum or other written terms agreed with Coinnect. In case of conflict, the specific contractual terms agreed with the customer will apply to the extent permitted by law. 

2. Scope of the Solution and type of data involved
The Solution is designed to provide cyber-risk intelligence based on externally visible information. It is not designed to collect or host internal business data or internal security telemetry from customers.

2.1 Data provided by customers and users
Customers and authorized users may provide limited information needed to configure and use the Solution, such as:  

·   Business contact details, including name, business email address, job title, company name, phone number and support contact details.  

·   Account and authentication information for authorized users, such as user IDs, roles, permissions and login-related records.  

·   Seed identifiers used to focus the intelligence service, such as legal entity names, domains, subdomains, subsidiaries, supplier names, supplier domains and other external identifiers.  

·   Optional external asset identifiers, such as IP addresses or IP ranges, where the customer chooses to provide them and is authorized to do so.  

·   Support, administrative and billing information exchanged with Coinnect in the ordinary course of the business relationship.

2.2 Data collected, enriched or generated by Coinnect
Coinnect collects, enriches and generates external cyber-risk intelligence about externally visible assets and entities. This may include:  

·   Domain, DNS, certificate, hosting, routing, WHOIS or similar public or externally observable technical information.  

·   Externally reachable services, ports, web technologies, headers, banners, configurations and technology fingerprints.  

·    Indicators of vulnerability, exposure, misconfiguration, outdated technology, brand abuse, phishing risk, data exposure or other cyber-risk signals.  

·    Risk scores, ratings, findings, alerts, dashboards, reports and recommendations produced by Coinnect analytical methods.  

·   Third-party or supplier risk intelligence where customers use the TPRM features to assess suppliers, vendors or other relevant business relationships. Some technical identifiers, such as IP addresses, email addresses found in public sources or names in public records, may be considered personal data in certain jurisdictions. Where this occurs, we process such information in accordance with this Policy and applicable data protection laws.

3. How Coinnect collects external cyber-risk intelligence
Coinnect uses lawful external intelligence methods to identify and analyze externally visible digital assets and cyber-risk signals. These methods may include analysis of public internet records, public security advisories, vulnerability databases, certificate transparency data, passive and active external observations, third-party intelligence sources, public repositories, open-source intelligence and other externally accessible datasets. The purpose of these activities is to provide customers with an outside-in view of their external attack surface and, where applicable, the cyber-risk posture of third parties that are relevant to them. The Solution is designed to operate without requiring access to internal networks, internal systems, private repositories, credentials or non-public customer content. Unless expressly agreed in writing, Coinnect does not use the Solution to bypass authentication controls, exploit vulnerabilities, access private systems, retrieve internal files or perform intrusive penetration testing. External checks are intended to be proportionate, non-destructive and focused on externally observable risk indicators.

4. Purposes of processing
We process personal data and technical data for the following purposes:  

·   To provide, operate, maintain and improve the Coinnect EASM and TPRM Solution.  

·   To collect, enrich, analyze and deliver external cyber-risk intelligence, findings, reports, alerts and dashboards.  

·   To configure customer accounts, authenticate authorized users, manage permissions and support customer administration.  

·   To provide technical support, respond to requests, manage service communications and handle contractual or billing matters.  

·   To protect the confidentiality, integrity and availability of the Solution, prevent abuse, investigate security incidents and maintain audit logs.  

·   To improve detection methods, analytics, quality, reliability and performance, using aggregated or de-identified information where appropriate.  

·   To comply with applicable laws, regulatory requirements, court orders and lawful requests from public authorities.  

·   To send service notices and, where permitted, business communications about Coinnect products or services.

5. Legal bases for processing
Where the EU General Data Protection Regulation, the Swiss Federal Act on Data Protection or similar laws apply, we rely on one or more of the following legal bases:  

 ·   Performance of a contract. To provide the Solution, manage customer accounts, deliver support and perform our contractual obligations.  

·   Legitimate interests. To provide cybersecurity intelligence, protect our services, prevent abuse, improve our Solution, communicate with business contacts and support customers, provided that these interests are not overridden by individual rights.  

·   Legal obligations. To comply with laws, accounting obligations, sanctions rules, regulatory requirements or lawful requests.  

·   Consent. Where required by law, for example for certain marketing communications or non-essential cookies. Consent may be withdrawn at any time where applicable.

6. Roles under data protection law
Coinnect may act as a controller, processor or independent controller depending on the processing activity and the applicable contract.  

·   Controller for our own business operations. Coinnect acts as controller for personal data processed to manage accounts, provide support, secure the Solution, communicate with business contacts, comply with law and run our business.  

·   Independent controller for externally collected intelligence where appropriate. When Coinnect collects, enriches and generates external cyber-risk intelligence using its own sources, methods and datasets, Coinnect generally determines the means and purposes of that intelligence processing, subject to the applicable contract and law.  

·   Processor for customer-provided personal data where applicable. When Coinnect processes personal data provided by a customer solely on the customer instructions and for the customer contractual purposes, Coinnect acts as processor and the customer acts as controller. A data processing addendum may apply where required.

7. Disclosure of data
We do not sell personal data. We may disclose personal data and technical data only as needed for the purposes described in this Policy, including to:  

·   Trusted service providers that support hosting, infrastructure, security, monitoring, communications, customer support, billing, analytics or professional services.  

·   Professional advisers, auditors, insurers and legal advisers where necessary for legitimate business, compliance or legal purposes.  

·    Public authorities, courts or regulators where required by law or where disclosure is necessary to protect rights, security or safety.  

·    A successor or relevant party in connection with a merger, acquisition, reorganization or similar corporate transaction, subject to appropriate safeguards.  

·    Customers and their authorized users through the Solution, including dashboards, reports, alerts and other intelligence outputs made available to the relevant customer account. Service providers are required to protect the data they process for us and may only use it for the purposes for which they are engaged.

8. International transfers
Coinnect is based in Switzerland. We may process or transfer data in Switzerland, the European Economic Area and other countries where we or our service providers operate. Where personal data is transferred internationally, we use appropriate safeguards required by applicable law, such as adequacy decisions, standard contractual clauses, data processing agreements or other lawful transfer mechanisms.

9. Security measures
We maintain technical and organizational measures designed to protect personal data and customer-related technical data against unauthorized access, disclosure, alteration and destruction. These measures may include access controls, authentication, encryption or similar protections, logging and monitoring, network and infrastructure security, least-privilege practices, personnel confidentiality obligations, backup and recovery procedures and vendor management controls. No system can be guaranteed to be fully secure. Customers are responsible for managing their own user access, protecting their credentials and using the Solution in accordance with applicable agreements and laws.

10. Retention
We retain personal data and technical data only for as long as reasonably necessary for the purposes described in this Policy, unless a longer retention period is required or permitted by law or contract.  

·   Customer account, user and support data is generally retained for the duration of the customer relationship and for a reasonable period thereafter for legal, accounting, audit, security and dispute-resolution purposes.  

·   Customer-provided seed identifiers and configuration data are retained while needed to provide the Solution and may be deleted or returned following termination in accordance with the applicable contract.  

·   External cyber-risk intelligence may be retained for historical analysis, trend detection, auditability, service integrity, threat research and improvement of the Solution, subject to applicable law and appropriate safeguards.  

·   Security logs may be retained for periods appropriate to detect abuse, investigate incidents, maintain service integrity and comply with legal obligations.

11. Customer responsibilities
Customers should provide only the information required to configure and use the Solution. In particular, customers should not upload or submit internal security logs, credentials, secrets, source code, internal vulnerability reports, personal customer records, HR data, health data, payment card data, special categories of personal data or other sensitive information unless expressly agreed in writing with Coinnect. Customers are responsible for ensuring that they have the necessary rights, authority and lawful basis to submit domains, IP addresses, supplier identifiers or other asset identifiers to the Solution, and to request monitoring or assessment of the relevant assets or third parties. Customers are also responsible for configuring user access appropriately and for providing any notices required by applicable law to their users, suppliers or other relevant parties.

12. Individual rights
Depending on the applicable law and the circumstances, individuals may have rights to request access to, correction of, deletion of, restriction of, objection to or portability of their personal data. Individuals may also have the right to withdraw consent where processing is based on consent, and to lodge a complaint with a competent data protection authority. If your request relates to personal data processed by Coinnect on behalf of a customer, we may refer the request to that customer or ask you to contact the customer directly. If your request relates to processing for which Coinnect is responsible, we will respond in accordance with applicable law.

13. Cookies and website information
Our website and online services may use cookies or similar technologies for functionality, security, analytics or user experience purposes. Where required by law, we will request consent for non-essential cookies and provide choices through the relevant cookie banner, settings or notice made available on the website.

14. Children
The Solution is intended for business customers and authorized business users. It is not directed to children and we do not knowingly collect personal data from children through the Solution.

15. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, the Solution, legal requirements or operational needs. The updated version will be indicated by the "Last updated" date. Material changes may be notified through appropriate channels, such as the Solution, email or our website.

16. Contact
For privacy questions or requests, please contact Coinnect SA at its registered office: via Penate 16, 6850 Mendrisio, Switzerland. Customers and authorized users may also use the contact details, support channel or privacy contact made available by Coinnect on its website or within the Solution.

This Policy is a public-facing privacy notice for the Coinnect EASM and TPRM Solution. It does not replace any data processing addendum or specific contractual terms agreed with a customer.