Skip to content
ACTServ Technology Ltd

Privacy Policy

ACTServ Technology Ltd

HE428639

Effective date: [EFFECTIVE DATE TO BE CONFIRMED]

Last updated: [EFFECTIVE DATE TO BE CONFIRMED]

This Privacy Policy explains how ACTServ Technology Ltd ("ACTServ", "we", "us") processes personal data in connection with our website, sales and enquiries, customer and supplier relationships, the ACTServ GRC Platform, support, billing, events, marketing and other direct business interactions.

Where our customers use the ACTServ GRC Platform to process information about their own personnel, vendors and other individuals, those customers remain responsible for their own privacy notices. This Privacy Policy does not replace the privacy notices of ACTServ customers.

Who we are

ACTServ Technology Ltd is a company established in the Republic of Cyprus under registration number HE428639.

Registered Address

232 Strovolou Avenue, 2nd Floor, 2048 Nicosia, Cyprus

Contact

privacy@actserv.tech

Our roles: Controller and Processor

ACTServ acts as Data Controller for personal data relating to:

  • website enquiries
  • sales and prospective customer data
  • customer contacts and account administration
  • billing and contract administration
  • security and fraud-prevention information
  • support administration
  • supplier and partner contacts
  • marketing communications
  • our own corporate and legal obligations
  • ACTServ acts as Processor, or as Subprocessor where the customer itself acts as Processor, for Customer Data processed through the ACTServ GRC Platform on behalf of customer organisations.
  • Processing of Customer Data is governed by the customer agreement, the ACTServ GRC Master Subscription Agreement (/legal/grc-msa), the Data Processing Agreement (/legal/grc-dpa) and the Subprocessor Schedule (/legal/grc-subprocessors).
  • If your personal data is processed in the Platform on behalf of a customer organisation, requests concerning that data should usually be directed to that organisation, which acts as Controller.

People covered by this Policy

This Policy covers:

  • website visitors
  • prospective customers
  • customer representatives
  • customer employees and authorised Platform users
  • suppliers and business partners
  • professional advisers
  • event participants
  • job applicants, where applicable
  • people contacting ACTServ for support or other business purposes

Personal data we collect

Contact and business data, including:

  • name
  • job title
  • company and department
  • business email and telephone
  • business address
  • customer, supplier or partner role
  • communications and correspondence
  • Contract and billing data, including:
  • subscribed services
  • contract and order details
  • invoice and payment status
  • VAT and accounting information
  • procurement contacts
  • renewal and customer-administration information
  • Platform account data, including:
  • name and business email
  • organisation
  • user identifier and assigned role
  • account status
  • authentication and MFA-related status
  • session and account activity metadata
  • Authentication for the Platform is handled through a dedicated identity provider. ACTServ does not store Platform user passwords.
  • Technical and security data, including:
  • IP address
  • browser and device information
  • timestamps
  • login and authentication activity
  • audit events and security alerts
  • application diagnostics, error and performance information
  • records required to detect and investigate misuse or incidents
  • Enquiry, sales and marketing data, including:
  • service interest
  • demo and contact requests
  • meeting notes
  • communication preferences
  • event participation
  • source of enquiry
  • Support information, including:
  • support-ticket content
  • screenshots and attachments
  • technical logs voluntarily provided
  • troubleshooting records and communications with ACTServ support
  • Please do not submit passwords, secret keys or unnecessary sensitive personal data through support channels.
  • Customer Data processed on behalf of customers. Customers may use the ACTServ GRC Platform to process employee and user information, roles and departments, control, risk and policy owners, vendor and professional contacts, audit and assessment records, compliance evidence, uploaded files, Microsoft 365 inventory or integration metadata, and other information selected by the customer. The customer determines the purpose and content of this processing.

How we obtain personal data

We obtain personal data:

  • directly from you
  • from your employer or organisation
  • from customer administrators
  • automatically through website or Platform use
  • from customer-controlled integrations
  • from support interactions
  • from suppliers and business partners
  • from publicly available professional sources
  • from referral or event partners, where lawful

Why we use personal data and legal bases

Enquiries and demonstrations. We respond to requests, schedule meetings and assess potential business relationships. Legal basis: steps requested before entering into a contract, and our legitimate interests in developing business relationships.

Customer and supplier administration. We enter into and administer contracts, maintain contacts, deliver services and manage renewals and procurement. Legal basis: performance of a contract, legitimate interests and legal obligations.

Platform accounts. We provision accounts, authenticate users, administer permissions and provide the Platform. Legal basis: performance of contracts with customer organisations, and our legitimate interests in delivering and securing the service. Individual Platform users do not need a personal contract with ACTServ.

Security, monitoring and fraud prevention. We protect systems, detect abuse, investigate incidents, enforce contractual restrictions and maintain auditability. Legal basis: our legitimate interests in protecting ACTServ, its customers and users from security threats, misuse and fraud, and legal obligations where applicable.

Support. We respond to tickets, troubleshoot, maintain service quality and investigate technical issues. Legal basis: contractual performance and our legitimate interests in providing effective support.

Billing and accounting. We invoice, collect payment, keep financial records and comply with tax and accounting requirements. Legal basis: contract, legal obligation and our legitimate interests in managing the business.

Marketing. We communicate relevant ACTServ services, invite contacts to events and maintain business relationships. Legal basis: consent where required, and our legitimate interests in proportionate business-to-business marketing, subject to your right to opt out at any time.

Legal and regulatory compliance. We comply with law, respond to authorities, establish or defend legal claims and meet audit, insurance and governance requirements. Legal basis: legal obligation and our legitimate interests in protecting ACTServ's legal position.

Website operation and measurement. We operate the website, maintain its security and understand aggregate usage. Legal basis: our legitimate interests in operating and securing the website, and consent where non-essential cookies are used.

ACTServ GRC Platform and Customer Data

Customers control Platform configuration and Customer Data. Customers determine their authorised users and choose which integrations to enable and with what permission scopes.

ACTServ processes Customer Data only for providing, securing, supporting and administering the Platform, as set out in the Data Processing Agreement (/legal/grc-dpa). ACTServ separately processes account, billing, security and support administration data as Controller.

The Platform is a management tool and does not independently determine the customer's compliance decisions. The customer is responsible for its own privacy notices, lawful bases, user communications and processing instructions. The providers involved in delivering the Platform are listed in the Subprocessor Schedule (/legal/grc-subprocessors).

Integrations

Customers may enable integrations between the Platform and third-party or customer-controlled systems. The customer selects the integration and controls its permissions and scope. ACTServ processes the information made available through the configured integration. Third-party providers may separately process information under their own agreements with the customer. Revoking an integration does not necessarily delete information already collected and retained under the customer agreement.

For Microsoft 365, inventory integrations may collect directory, identity, licensing, device or security information according to the permissions granted by the customer. Email functionality, where enabled, sends notifications through a customer-controlled designated mailbox and does not provide ACTServ with general mailbox-reading access.

Cookies and similar technologies

We aim to keep the use of cookies and similar technologies to a minimum.

Strictly necessary items required to deliver the website and the Platform securely, including authentication and session items set by our identity provider on the Platform, are used on the basis of our legitimate interest in operating and securing our services.

Where non-essential cookies are used, they are used only with consent, which can be withdrawn at any time through the cookie settings. The website does not use marketing or advertising cookies.

Sharing and recipients

We may disclose personal data to:

  • cloud, hosting and application providers
  • identity and authentication providers
  • communication and email providers
  • CRM, sales and customer-management providers, where used
  • support and operational providers
  • analytics providers, where used
  • accountants, auditors, legal advisers, insurers and other professional advisers
  • banks and payment providers
  • competent authorities
  • parties involved in a merger, acquisition, reorganisation or asset sale, subject to appropriate safeguards
  • For Customer Data processed through the Platform, the relevant providers are listed in the Subprocessor Schedule (/legal/grc-subprocessors).
  • ACTServ does not sell personal data.

International transfers

Where personal data is transferred outside the European Economic Area to a country that has not been recognised by the European Commission as providing an adequate level of protection, ACTServ relies on appropriate safeguards, such as the European Commission's Standard Contractual Clauses, together with supplementary measures where appropriate. Information about these safeguards may be requested through privacy@actserv.tech.

Retention

We retain personal data only as long as needed for the purposes described in this Policy:

  • enquiry and prospect information: for a reasonable period after the last meaningful interaction
  • customer and supplier contracts: for the contract term and applicable legal, tax, accounting and limitation periods
  • billing records: as required under Cyprus accounting and tax law
  • Platform account data: for the duration of the account and a proportionate period required for security, dispute and compliance purposes
  • security and audit logs: according to ACTServ's documented security and operational retention schedules
  • support records: as necessary to resolve the request and support legal, contractual and security needs
  • marketing preferences: until withdrawal or objection, with a limited suppression record retained to respect the request
  • Customer Data: according to the customer agreement, the Data Processing Agreement, the export period and the backup-deletion cycle
  • recruitment records: according to the applicable recruitment retention process, where collected
  • Data may be retained longer where required by law, a legal hold, a dispute, an investigation or a security need.

Security

ACTServ maintains appropriate technical and organisational measures designed to protect personal data, including access controls, multi-factor authentication where applicable, role-based access, logging and monitoring, personnel confidentiality, secure development practices, incident-response procedures, backups and supplier management. Further information is available in the Security Overview (/legal/grc-security).

ACTServ Technology Ltd maintains an Information Security Management System certified to ISO/IEC 27001:2022 within the certified scope.

While we seek to protect personal data, no method of transmission or storage can be guaranteed to be completely secure.

Automated decision-making

ACTServ does not use personal data covered by this Privacy Policy to make decisions based solely on automated processing that produce legal or similarly significant effects, unless specifically disclosed at the relevant time.

Direct marketing

ACTServ may send proportionate business-to-business marketing about relevant ACTServ services and events. Where required, we ask for consent. You may opt out at any time by using the unsubscribe option in the relevant communication or by contacting privacy@actserv.tech. Opting out does not affect operational, security, billing or contractual communications.

Your rights

Subject to applicable law, you may have rights including:

  • the right to request access to your personal data
  • the right to request correction of inaccurate data
  • the right to request deletion of your personal data
  • the right to request restriction of processing
  • the right to object to processing in certain circumstances
  • the right to data portability, where applicable
  • the right to withdraw consent, where processing is based on consent
  • rights regarding qualifying automated decision-making
  • the right to lodge a complaint with the competent supervisory authority
  • We may need to verify your identity before responding to a request.
  • If ACTServ processes the relevant personal data solely on behalf of a customer, the request should normally be directed to that customer. ACTServ will assist the customer in accordance with the applicable Data Processing Agreement.

Complaints

You may lodge a complaint with the Office of the Commissioner for Personal Data Protection in Cyprus or another competent supervisory authority.

Children

The website and the ACTServ GRC Platform are intended for business and professional use and are not directed to children. ACTServ does not knowingly provide Platform accounts directly to children.

Third-party websites

This website may contain links to third-party websites and services. Those sites and services have their own privacy notices, and ACTServ Technology Ltd is not responsible for their privacy practices or content.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The current version and its date appear on this page. Material changes may be communicated by email or by prominent notice where appropriate.

Contact

For questions relating to this Privacy Policy or the processing of personal data, you may contact:

  • ACTServ Technology Ltd
  • HE428639
  • 232 Strovolou Avenue, 2nd Floor, 2048 Nicosia, Cyprus
  • privacy@actserv.tech