How Security Compliance Hub collects, uses, and protects your data — including data obtained via Google Sign-In.
Effective date: 30 April 2026 · Operated by Cyber 3D Ltd
Security Compliance Hub accesses only the minimum data necessary to operate. The tables below describe each category of data we collect, its source, and whether collection is required or optional.
| Data item | Source | Required? |
|---|---|---|
| Email address | Google Sign-In or direct registration | Yes — used as account identifier |
| Display name | Google profile or registration form | Optional — used for personalisation |
| Firebase User ID (UID) | Assigned by Firebase Authentication | Yes — internal account reference |
| Email verification status | Firebase Authentication | Yes — required to enable TOTP MFA |
| TOTP multi-factor secret | Generated and stored by Firebase Authentication if you enable MFA | Optional — only if you enrol MFA |
| Account entitlements | Set by Cyber 3D Ltd on your Firebase account (e.g. trial status, active subscription, one-shot purchases, Supply Chain tier) | Yes — required to grant access to paid products |
email and profile). We do not request access to Gmail, Google Drive, Google Contacts, or any other Google service data.
| Data item | Purpose | Required? |
|---|---|---|
| Organisation name | Dashboard personalisation, PDF report headers | Optional |
| Industry sector | Tailored compliance guidance and recommendations | Optional |
| Organisation size | Regulatory scoping (e.g. DORA entity type) | Optional |
| Primary compliance drivers | Personalised framework recommendations | Optional |
| Data item | Purpose |
|---|---|
| Assessment question responses | Scoring, gap analysis, and AI-generated recommendations |
| Section and overall scores | Dashboard history, trend tracking, compliance readiness summary |
| Identified critical issues | Remediation planning and Phronesis AI guidance |
| Completion timestamps | Activity feed, score history ordering |
| Practitioner evidence notes (optional free-text) | Narrative context supplied by the assessor (e.g. policy references, observations). Sent to Phronesis alongside radio responses to sharpen AI-generated recommendations, and persisted to your Firestore assessment record so notes survive device changes and logout. CE assessments store notes via a collapsed "Add advisor notes" toggle; all other assessments show evidence fields inline. |
| Evidence Vault file attachments (optional) | Files you attach per question in the Evidence Vault (PNG, JPEG, GIF, WebP, PDF, TXT, JSON, DOCX — up to 10 MB each). Files are uploaded directly to Google Cloud Storage via a signed URL and then scanned automatically: (1) a SHA-256 hash lookup against VirusTotal for known-malicious signatures; (2) for PDFs, plain-text, JSON, and DOCX files whose hash is unknown, the full file is submitted to VirusTotal for analysis; (3) for files under 512 KB, the content is inspected by Google Cloud DLP for PII types (credit card numbers, UK National Insurance numbers, UK passport numbers, email addresses, phone numbers, and IBAN codes). Files identified as malicious or containing PII are quarantined and deleted from storage. Clean files remain in Cloud Storage and are linked to your assessment record in Firestore. |
If you subscribe to the Supply Chain Risk Manager, you can add supplier records to your portfolio. We store only what is necessary to operate the questionnaire and risk-scanning features:
| Data item | Purpose |
|---|---|
| Supplier name, domain, primary contact email | Identifying the supplier in your portfolio and delivering their questionnaire invitation |
| Questionnaire responses submitted by the supplier | Scoring the supplier against your supply-chain controls |
| Risk-scan results (domain / certificate / breach-intelligence findings) | Independent verification signals that sit alongside the questionnaire score |
| Scan history, trend points, and unacknowledged alerts | Drift detection and month-on-month change tracking |
/users/{uid}/suppliers/) and are visible only to you. Deleting your account deletes all supplier records you have created. Where you add a supplier contact email so we can deliver their questionnaire, you are the controller of that email; we act as processor.
If you submit the consultancy contact form, we collect: name, email address, company name, organisation size, service of interest, and your message. This data is used solely to respond to your enquiry.
We use the data we collect solely to provide and improve the Security Compliance Hub service. We do not use your data for advertising, profiling, or sale to third parties.
| Purpose | Data used | Legal basis (UK GDPR) |
|---|---|---|
| Authenticate your account and maintain your session | Email, UID, display name | Contract performance |
| Deliver assessment scoring and gap analysis | Assessment responses, organisation profile | Contract performance |
| Generate AI-powered recommendations via Phronesis | Assessment responses, sector, org size (anonymised prompt) | Contract performance |
| Personalise your dashboard and framework guidance | Organisation profile, score history | Legitimate interests |
| Respond to consultancy enquiries | Contact form data | Consent / pre-contractual steps |
| Maintain platform security and prevent abuse | Email, UID, access logs | Legitimate interests |
| Generate anonymised sector benchmarks | SHA-256 hash of your UID plus assessment scores (no identifying fields) | Legitimate interests (you may opt out from My Dashboard) |
| Create a shareable read-only snapshot of your results | Scores, gap summary, Phronesis summary, organisation name | Consent (only created when you click Share) |
| Store and protect Evidence Vault file attachments | Uploaded files and their metadata | Contract performance |
| Operate the Supply Chain Risk Manager | Supplier records, questionnaire responses, risk-scan results | Contract performance (you) / Legitimate interests (scan of your supplier's public-domain posture) |
After you complete an assessment, your scores may be included in anonymised sector aggregates so other users in your industry can see how their organisation compares. Before the score is written we replace your UID with a SHA-256 hash, and we never store your email, organisation name, or free-text responses in the benchmark dataset. Aggregation only becomes visible when a sector reaches at least 10 contributing organisations. You can opt out at any time from the My Dashboard settings panel; doing so removes any future contribution and prevents the "how you compare" block from showing your results.
If you click Share on an assessment result, we create a read-only snapshot at a unique URL with a token that is unguessable. Anyone holding the URL can read the snapshot without signing in; it is therefore only as private as the link itself. You choose the expiry (7, 30, 90 days, or no expiry) and can revoke a share at any time. Shared snapshots include the overall score, section breakdowns, critical issues, strengths, next steps, and the Phronesis summary; they do not include your email, contact details, or practitioner evidence notes.
When you run an AI analysis or use the Phronesis chat feature, your assessment responses and organisation context are sent to Phronesis, our AI analysis service, to generate recommendations. This data is transmitted securely via our Firebase Cloud Function proxy — your data is never sent directly from your browser to Phronesis.
Across all assessments, business-attributable identifiers are stripped before any data is sent to the Phronesis AI service. This includes organisation name, target company name, assessor name, company registration number, filing status, and incorporation date. Only anonymised scores, domain context, industry sector, and organisation size are included in the analysis prompt. No information that could directly identify your organisation or any third party is transmitted to the AI.
Assessment progress is automatically saved to your browser's localStorage every second so you can resume without losing work. In addition, while you are signed in, a background draft-sync writes your in-progress state (including any evidence notes you have typed) to your private Firestore document (/users/{uid}/drafts/{assessmentType}) on tab-hide, page-close, and every 30 seconds if the state has changed. This cross-device sync allows you to resume on a different browser or device. The draft is deleted automatically when you complete and save an assessment. Local storage is cleared when you sign out; the Firestore draft persists until the assessment is completed or your account is deleted.
We do not sell, rent, or trade your personal data. We share data only with the service providers listed below, and only to the extent necessary to deliver the platform.
| Third party | Data shared | Purpose | Location |
|---|---|---|---|
| Google Firebase Sub-processor | Email, UID, display name, profile data, assessment scores, practitioner evidence notes, in-progress draft state, evidence file metadata (file name, size, upload timestamp, scan result) | Authentication (Firebase Auth), database (Firestore), hosting | EU (europe-west2) |
| Google Cloud Storage Sub-processor | Evidence Vault file attachments (Assessment Bundle subscribers only) | Storing files you attach to assessment questions in the Evidence Vault | Google Cloud infrastructure (US) |
| Google Cloud Data Loss Prevention (DLP) Sub-processor | File content of Evidence Vault attachments under 512 KB (inline inspection only — file bytes are never stored by DLP) | Automated PII detection — inspects uploaded files for credit card numbers, UK National Insurance numbers, UK passport numbers, email addresses, phone numbers, and IBAN codes; quarantines files that contain PII | USA (standard contractual clauses apply) |
| VirusTotal (Google LLC) Sub-processor | SHA-256 hash of each uploaded file; full file content for PDFs, plain-text, JSON, and DOCX files whose hash is not already in the VirusTotal database | Malware scanning of Evidence Vault attachments; files identified as malicious are quarantined and deleted | USA (standard contractual clauses apply) |
| Phronesis AI Service Sub-processor | Assessment responses, organisation context (no direct identifiers) | AI-generated analysis and recommendations via Phronesis | USA (standard contractual clauses apply) |
| SendGrid (Twilio Inc.) Sub-processor | Contact-form submissions (name, email, message) and Supply Chain questionnaire invitations (supplier contact email) | Transactional email delivery | USA (standard contractual clauses apply) |
| External security-intelligence providers Sub-processors | Supplier domain / company name only (no subscriber personal data) | Independent verification signals for Supply Chain Risk Manager — domain reputation, breach intelligence, certificate transparency, DNS / TLS posture, public registry lookups | UK / EU / USA (SCCs apply where relevant) |
We may disclose data where required to do so by law, court order, or regulatory authority (e.g. the ICO). We will notify you of any such disclosure unless prohibited from doing so by law.
In the event of a merger, acquisition, or sale of Cyber 3D Ltd, user data may be transferred as part of that transaction. You will be notified in advance and given the opportunity to delete your account before any transfer takes effect.
User profile data and assessment scores are stored in Google Cloud Firestore in the europe-west2 (London) region. Authentication data is managed by Firebase Authentication, also within Google's EU infrastructure.
Evidence Vault file attachments (Assessment Bundle subscribers only) are stored in Google Cloud Storage under your account's private path (evidence/{uid}/...). Storage access rules restrict reads to authenticated Cloud Functions acting on your behalf — direct browser access to the raw storage bucket is blocked. Each uploaded file is scanned automatically: a three-layer pipeline checks the file against VirusTotal malware signatures and inspects the content with Google Cloud DLP for PII; files that fail either check are quarantined (removed from storage and flagged in Firestore) before you can view or download them.
| Safeguard | Detail |
|---|---|
| Encryption in transit | All data transmitted over TLS 1.2+ (HTTPS enforced by Firebase Hosting) |
| Encryption at rest | Firestore data encrypted at rest by Google Cloud (AES-256) |
| Authentication | Firebase Authentication with optional TOTP multi-factor authentication |
| Firestore access rules | Each user can only read their own documents; all writes are performed server-side via authenticated Cloud Functions — direct client writes are blocked |
| API key protection | The Phronesis API key is stored as a Firebase Cloud secret and never exposed to the browser |
| Input validation | All Cloud Function endpoints validate Firebase ID tokens and sanitise inputs before processing |
| Rate limiting | Contact-form endpoint limited to 3 requests / minute per IP address; Phronesis AI analysis limited to 20 requests / minute per authenticated user; Supply Chain on-demand scans limited to 1 scan / 30 minutes per supplier |
Access to Firebase project configuration and production data is restricted to authorised Cyber 3D Ltd personnel. Service account credentials are managed via Google Cloud IAM with least-privilege roles. Security scanning of the codebase is performed automatically on every code change via GitHub Actions (Semgrep, Trivy, Gitleaks).
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours and inform affected users without undue delay, as required under UK GDPR Article 33–34.
| Data category | Retention period | Reason |
|---|---|---|
| Account (email, UID, display name) | Until account deletion is requested | Required to provide the service |
| Organisation profile | Until account deletion is requested | Personalisation and dashboard history |
| Assessment scores, history & evidence notes | Until account deletion is requested | Progress tracking, trend analysis, and audit-ready evidence record |
| Evidence Vault file attachments | Until you delete the file, your Assessment Bundle subscription lapses, or account deletion is requested | Audit-ready documentary evidence linked to individual assessment questions |
| In-progress assessment drafts (including evidence notes typed mid-assessment) | Deleted automatically on assessment completion; otherwise until account deletion | Cross-device resume of in-progress assessments |
| One-shot assessment results (CE One-Shot, PE Due Diligence, SOC Maturity) | Read-only for 30 days from analysis; then locked and removed from the active dashboard | One-shot purchases include a defined 30-day access window |
| Supplier records (Supply Chain Risk Manager) | Until you remove the supplier or delete your account | Ongoing portfolio risk tracking |
| Supply Chain scan history and alerts | Until the parent supplier record is removed or your account is deleted | Drift detection and month-on-month change tracking |
| Shareable result snapshots | Expires on the date you chose when creating the share (7 / 30 / 90 days or never); revocable at any time | Public read-only snapshot for third parties you choose |
| Sector benchmark entries (hashed UID + scores) | Until account deletion is requested or you opt out of benchmarking | Anonymised aggregate statistics for the sector |
| Contact-form enquiries | Up to 24 months from submission | Business records and follow-up correspondence |
| Browser localStorage data | Cleared on sign-out; otherwise persists in your browser until you clear it | Assessment auto-save (device-local only) |
| Firebase Auth logs | Up to 90 days (Google platform default) | Security and abuse prevention |
As a UK data subject you have the right to: access your personal data, rectify inaccurate data, erasure ("right to be forgotten"), restrict processing, data portability, and object to processing based on legitimate interests. To exercise any of these rights, contact us using the details below.
You can request complete deletion of your account and all associated personal data at any time. Upon verified request we will:
Delete your Firebase Authentication account · Delete your Firestore profile document and all assessment history · Delete all Evidence Vault files from Cloud Storage · Delete your Supply Chain supplier records, scans, and alerts · Revoke all active share links you have created · Remove your anonymised benchmark entries · Confirm deletion in writing within 30 days
Email us at support@securitycompliancehub.io with the subject line "Data Deletion Request" and the email address associated with your account. We will verify your identity before processing the request.
For general privacy enquiries or to exercise other UK GDPR rights, contact support@securitycompliancehub.io. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).