Privacy Policy
Bastion's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.
The www.bastion.tech website (hereinafter referred to as "the Site") and the https://app.bastion.tech application (hereinafter referred to as "the Application") are operated by Bastion, a simplified joint stock company with a capital of 12 000.00 euros, whose registered office is located at 65 rue de la croix, 92000 Nanterre, and which is registered in the Nanterre B Trade and Companies Register under number 921 179 925.
This Privacy Policy explains what Data is collected when the User uses the Services, and how it is processed.
This Privacy Policy may be amended from time to time to ensure compliance with applicable law.
The version applicable to the User is the one in force on the Site and on the Application at the date of use of the Services.
DEFINITIONS
Terms beginning with a capital letter used in the singular or plural in the body of this Privacy Policy shall have the meanings given to them in the Terms of Use, or defined below:
Personal Data or Data: means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an "identifiable natural person" is one who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
Processing: means any operation or set of operations, whether or not carried out by automatic means, applied to Data or sets of Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, communication by transmission, dissemination or otherwise making available, alignment or combination, limitation, erasure or destruction;
Controller: means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the Processing;
Processor: means the natural or legal person, public authority, department or other body that processes Personal Data on behalf of the Controller.
PROCESSING OF PERSONAL DATA FOR WHICH BASTION IS THE DATA CONTROLLER
Bastion is the Controller of the Processing of the Data that the User communicates to it when using the Services.
ARTICLE I. PERSONAL DATA PROCESSED, PURPOSES OF PROCESSING AND RETENTION TIME
Personal Data is collected for specific, explicit and legitimate purposes.
Bastion ensures that Personal Data are processed in an adequate, relevant and limited manner with regard to the purposes for which they are processed:
Data Category
Purpose
Legal basis
Retention time
Management of requests through the contact section
Email address
Respond to User requests
The legal basis is the legitimate interest of Bastion to provide a response to Users
email address, password, IP address, last name, first name
Management of the newsletter
Email address, name, first name
Subscription managementManagement of electronic mailings
The legal basis is the consent of the User collected during the collection of his email address
3 years from the last contact from the User or until the withdrawal of consent
Management of Vulnerability Scan subscriptions
Email address, name, first name, postal address
Allow access to the User's personal space
The legal basis is the consent of the User obtained at the time of registration by accepting the Terms of Use and this Privacy Policy
3 years from the last activity of the User
Email address, telephone number, full name, postal address of the Company's representative
Follow-up of the invoicingFollow-up of the customer relationshipManagement of after-sales services, complaints
5 years from the end of the contractual relationship
Cookies and trackers
IP address
Ensure the operation of the site
Keep the user connected
Measuring the audience
The legal basis is the legitimate interest for the strictly necessary cookies and the consent for the others
ARTICLE II. RECIPIENTS OF PERSONAL DATA
None of the Personal Data concerning the User is transmitted to third parties, with the exception of Bastion staff members or partners and subcontractors, solely for the purpose of carrying out the above-mentioned purposes and within the limits of the information strictly necessary for this purpose.
The User's Personal Data is stored either in Bastion’s databases or in those of its service providers, which are located within the European Union.
The User's Personal Data is not transferred outside the European Union.
ARTICLE III. DATA PROTECTION OFFICER
The Data Protection Officer appointed by Bastion can be contacted at the following address: dataprivacy@bastion.tech
ARTICLE IV. USERS' RIGHTS
In accordance with the regulations concerning the Processing of Personal Data, the User has the following rights:
1. Right of access, rectification and deletion
When you visit our webThe User may review, update, modify or request the deletion of his/her Personal Data.
If he/she has one, the User has the right to request the deletion of his/her Personal Space.
2. Right to Data Portability
The User has the right to request the portability of his/her Personal Data, held by Bastion, to another operator.
3. Right to limit and oppose the processing of personal data
The User has the right to request the limitation of or to object to the Processing of his/her Personal Data by Bastion, without Bastion being able to refuse, unless it can demonstrate the existence of legitimate and compelling reasons that may override the interests and rights and freedoms of the User.
4. Exercise of rights
The User may, subject to the production of valid proof of identity, exercise his/her rights by contacting the Bastion Data Protection Officer by email at dataprivacy@bastion.tech.
In order for Bastion to comply with the request, the User is required to provide the following information: their first and last names as well as the e-mail address used on the Site or the Application.
Bastion is required to respond to the User within 30 days.
If the User believes, after contacting Bastion, that his/her rights have not been respected, he/she may submit a complaint to a supervisory authority.
The supervisory authority in charge of the Processing carried out by Bastion is the Commission Nationale de l'Informatique et des Libertés (CNIL).
PROCESSING OF PERSONAL DATA FOR WHICH BASTION IS THE PROCESSOR
When performing the vulnerability scan service, Bastion acts as a Processor within the meaning of the regulations in force applicable to the Processing of Personal Data, and solely on the instructions of the Company acting via the User, which acts as the Data Controller.
ARTICLE I. DESCRIPTION OF THE PROCESSING BY BASTION
Bastion is authorized to process on behalf of the Company the Personal Data necessary to provide the following service: external vulnerability scan to identify all the vulnerabilities of the Company's technological data
Data Category
Categories of Data subject
Purpose
External vulnerability scan
Employees, collaborators, customers
Email address, password, IP address, last name, first name
Identification, analysis and presentation to the User of all the vulnerabilities of the Company's technological data
Automatic scanning for persistent vulnerabilities
Email address, password, IP address, last name, first name
Employees, collaborators, customers
Adjusting prices based on identified persistent vulnerabilities
Processing
ARTICLE II. DURATION OF THE CONTRACT
This Privacy Policy is effective upon acceptance by the User, as well as acceptance of the Terms of Use, for an indefinite period.
ARTICLE III. BASTION OBLIGATIONS TOWARDS THE COMPANY
Bastion is committed to :
1. Process the Data only for the purposes described in I. I., namely the identification, analysis and presentation to the User of the vulnerabilities of the Company's technological data, revealed through the vulnerability scan, and the adjustment of prices based on identified persistent vulnerabilities.
2. Process the Data in accordance with the Company's documented instructions, as described in the Terms of Use. If Bastion considers that an instruction constitutes a breach of the EU Data Protection Regulation or any other provision of Union or Member State law relating to data protection, it shall immediately inform the Company. In addition, if the Bastion is required to transfer Data to a third country or to an international organization under Union law or the law of the Member State to which it is subject, it must inform the Company of this legal obligation prior to the Processing, unless the relevant law prohibits such information on important grounds of public interest.
3. Guarantee the confidentiality of the Personal Data processed in the context of the vulnerability scan
4. Ensure that persons authorized to process Personal Data under this Agreement:
are committed to confidentiality or are subject to an appropriate legal obligation of confidentialityreceive the necessary training in the protection of personal data
5. Take into account the principles of data protection by design and data protection by default for its tools, products, applications or services.
ARTICLE IV. SUBSEQUENT PROCESSING
Bastion is authorized to use the following entities to conduct the Processing activities described below (hereinafter, the "Subsequent Processors"):
• Amazon Web Services: Hosting Personal Data;
• Google Cloud Platform: Hosting Personal Data;
• Stripe: Payment services;
• HelloSign: Signature services.
Subsequent Processors are required to comply with the obligations of this contract on behalf of and according to the instructions of the Company. It is Bastion’s responsibility to ensure that Subsequent Processors present the same sufficient guarantees regarding the implementation of appropriate technical and organizational measures so that the Processing meets the requirements of the European Data Protection Regulation. If Subsequent Processors do not fulfil their data protection obligations, Bastion remains fully responsible to the Company for the Subsequent Processors' performance of their obligations.
ARTICLE V. RIGHT TO INFORMATION OF THE DATA SUBJECT
It is the Company's responsibility to provide information to the persons concerned by the Processing operations.
It is the responsibility of the Company, in its capacity as Data Controller, to obtain any necessary consent from the natural persons concerned, in correlation with the purposes of the Processing pursued.
ARTICLE VI. EXERCISE OF THE RIGHTS OF DATA SUBJECTS
The persons whose Data have been collected must assert their rights directly to the Company, which, after studying the admissibility of the request, undertakes to comply with it within the regulatory time limits.
Insofar as possible, Bastion shall assist the Company in fulfilling its obligation to respond to requests to exercise the rights of data subjects.
When the persons concerned make requests to Bastion to exercise their rights, Bastion must send these requests as soon as they are received by e-mail to the contact address given on the User's Personal Space.
ARTICLE VII. NOTIFICATION OF PERSONAL DATA BREACHES
Bastion shall notify the Company of any violation of Personal Data within a maximum of 24 hours of becoming aware of it, via the contact address provided on the User's Personal Space.
This notification shall be accompanied by any useful documentation to enable the Company, if necessary, to notify the competent supervisory authority of the breach.
It is the Company's responsibility to alert, if necessary, the competent supervisory authority and/or the persons concerned, and to comply with its obligations under the GDPR.
ARTICLE VIII. ASSISTANCE FROM BASTION IN THE CONTEXT OF THE COMPANY'S COMPLIANCE WITH ITS OBLIGATIONS
Bastion assists the Company in carrying out data protection impact assessments.
Bastion assists the Company in carrying out the prior consultation with the supervisory authority.
ARTICLE IX. SECURITY MEASURES
Bastion undertakes to put in place all the necessary means to ensure the confidentiality and security of the Data, so as to prevent their damage, deletion or access by unauthorised third parties.
Bastion’s technical and organizational measures are as follows:
1. Commitment to confidentiality of its employees
Through the employment contract, the Bastion employee undertakes to respect the rules and procedures in force in the company, particularly with regard to:
• Professional secrecy;
• Professional and loyal behaviour towards the company.
2. Awareness-raising and training activities on the security of personal data
All Bastion employees arriving on the project are made aware of security. A presentation of the objectives, individual roles and responsibilities and the security procedures related to the project is made.
3. Management of access accounts and authorisation
The security of information and access is managed by the system administrators. They create nominative access with strong passwords for all the tools used by Bastion.
The security policy for passwords applied to accounts complies with the recommendations of the CNIL.
4. Security of Bastion’s premises
Access to Bastion’s premises is reserved for authorised persons only.
Bastion’s premises are protected by badging system.
The premises are also equipped with a video surveillance system. The video surveillance data is kept for 1 month.
5. Computer allocation and maintenance
Each Bastion employee has his own workstation.
The workstations are protected primarily by a user/password authentication generated by the system administrators.
Bastion employees are made aware of the security rules by the system administrators when they are given their computers. Each employee has administrator rights on his/her computer in order to be able to configure or install additional software required for the execution of their missions.
Passwords are Personal and Confidential Data, they must be sufficiently strong, and must not be disclosed or left unprotected.
Any computer given to a Bastion employee must have been formatted beforehand in the event of a handover, and also if the equipment is new and the operating system installed does not correspond to what has been defined by the system administrators.
The maintenance of any computer is done on Bastion’s premises whenever possible. In the event that maintenance agents are welcomed and supervised on Bastion’s premises to carry out any repairs or modifications.
6. Confidentiality of processed data
Bastion is committed to :
• Not to make any copies of the documents and data carriers entrusted to it, except those necessary for the performance of the service;
• Not to use the processed documents and information for purposes other than those defined by the Company;
• Not to divulge this information to other persons, whether private or public, natural or legal persons, for the duration of the service.
ARTICLE X. DISPOSITION OF DATA
At the end of the services provided in relation to the Processing of this Data, Bastion undertakes to destroy all personal Data relating to the Company and the User, with the exception of those whose retention beyond the contractual relationship is authorized by law, by the legitimate interests of Bastion or by the Company and the User.
Once the Data has been destroyed, Bastion must justify the destruction in writing.
ARTICLE XI. DATA PROTECTION OFFICER
The Bastion Data Protection Officer can be contacted at the following address: dataprivacy@bastion.tech
ARTICLE XII. RECORDS OF PROCESSING ACTIVITIES
Bastion declares that it keeps a written record of all Processing activities carried out on behalf of the Company including:
• The name and contact details of the Company on whose behalf it is acting, the identification data of the User, any sub-processors and the Data Protection Officer;
• The categories of Processing carried out on behalf of the Company;
• As far as possible, a general description of the technical and organisational security measures.
ARTICLE XIII. DOCUMENTATION
Bastion shall make available to the Company the documentation necessary to demonstrate compliance with all its obligations and to allow audits, including inspections, to be carried out by the Company or another auditor it has commissioned, and to contribute to these audits.
ARTICLE XIV. OBLIGATIONS OF THE COMPANY TOWARDS BASTION
The Company agrees to:
• Document in writing the instructions concerning the Processing of Data by Bastion, in particular by keeping a copy of the Terms of Use;
• Ensure, beforehand and throughout the duration of the Processing, that Bastion complies with the obligations set out in the European Data Protection Regulation;
• Supervising the Processing, including conducting audits and inspections at Bastion.