Data Protection & Lawful Basis
This page explains how personal and organisational data is processed within the CyberAdviser Supplier Assessment service, including roles under data protection law, lawful bases, and data sources across assessment levels.
This page applies only to the Supplier Assessment service. For CyberAdviser’s general Privacy Policy, please see: https://cyberadviser.net/privacy-policy/.
OSINT boundaries (no intrusive access)
We do not perform intrusive access. Our OSINT enrichment is designed for due diligence and uses only publicly available information and signals.
- No credentialed access (no logins, no use of leaked credentials, no bypassing authentication).
- No exploitation, privilege escalation, or attempts to access non-public systems or data.
- No active interference with supplier systems; checks are limited to publicly accessible surfaces and sources.
Lawful basis (OSINT data usage)
Where OSINT enrichment is used, the primary lawful basis is legitimate interests (GDPR Art. 6(1)(f)): supporting client due diligence and third-party risk assessment. We use OSINT to help clients assess supplier risk signals and to prioritise follow-up questions; it is not a certification, audit opinion, or legal conclusion.
Data sources and limitations
Sources may include: supplier websites, public policies, public security pages, public documentation, public incident disclosures, public registries, and other publicly accessible materials relevant to risk signals.
Limitations:
- Public information can be incomplete, outdated, or inaccurate (false positives/negatives are possible).
- Absence of evidence is not evidence of absence; missing signals do not imply non-compliance.
- Results are point-in-time and should be validated with supplier-provided evidence when decisions are made.
Retention
Assessments and related supplier records are retained to support auditability and repeatability. Customers may request deletion of their data; operational backups are rotated and retained for 30 days.
Scope and purpose
Supplier Assessment supports third-party risk management by producing a structured assessment output (e.g., summaries, scoring, and evidence snapshots) based on the configured assessment level and available inputs. The service is intended for business-to-business due diligence and security/compliance decision-making.
Roles: Controller and Processor
In typical usage, more than one party may act as a controller for different purposes. The roles below describe the common setup for Supplier Assessment.
| Party | Typical role | What this means in practice |
|---|---|---|
| CyberAdviser | Controller (for operating the service) | Determines how the Supplier Assessment platform operates (security, hosting, audit logging, account management, and the standard processing required to deliver the service). |
| Client (the organisation requesting the assessment) | Controller (for its own risk/compliance purposes) | Determines why it uses Supplier Assessment and how outputs are used in its internal processes (e.g., onboarding, vendor review, regulatory compliance, procurement decisions). |
| CyberAdviser (for client-specific instructions) | Processor (where applicable) | Processes data to provide assessments and outputs in line with client instructions/configuration. Contractual terms may allocate responsibilities for such processing. |
Lawful basis
Primary basis: Legitimate interests (Art. 6(1)(f))
Supplier Assessment is typically processed on the basis of legitimate interests relating to:
- information security and third-party risk management;
- fraud prevention and service integrity;
- regulatory and contractual compliance in a B2B context.
Where legitimate interests are relied upon, the processing is designed to be proportionate, minimise data where feasible, and focus on business-relevant risk signals rather than profiling individuals.
Additional basis: Contract (Art. 6(1)(b))
In certain scenarios, processing may also be necessary for performance of a contract or steps prior to entering a contract, for example when:
- a supplier completes a questionnaire specifically to support an assessment request;
- data is required to generate a requested assessment output and deliver it to the client.
Consent is not used as the primary lawful basis for Supplier Assessment processing. Where consent is used in any specific workflow, it will be clearly indicated in context.
Data categories
- Supplier business data (e.g., company name, domain, country, industry, business identifiers).
- Business contact data (e.g., names/emails of supplier representatives who respond to questionnaires).
- Technical and security metadata (e.g., scan timestamps, checks performed, indicators and evidence references).
- Assessment artefacts (e.g., module results, summaries, risk levels, and scoring outputs).
Data sources by assessment level
L1 – Essential
- Primarily public, passive sources and basic OSINT checks.
- No direct supplier interaction is required.
L2 – Advanced
- May include supplier questionnaire responses (where requested/available).
- Combines structured questionnaire inputs with OSINT signals to produce a higher-confidence output.
L3 – In-depth
- May include agreed interviews/workshops and/or document review to validate controls.
- Interviews or audits are not mandatory and are used only where proportionate and agreed.
Data retention
Retention is aligned to the assessment lifecycle and client needs. We aim to retain only what is necessary to deliver the service, support auditability, and meet applicable legal and contractual obligations. Specific retention periods may be defined in service terms.
Security and access controls
- Access is restricted to authorised personnel and authenticated users with appropriate permissions.
- Operational security controls help protect confidentiality, integrity, and availability.
- Logging and monitoring may be used to detect misuse and support auditability.
Individual rights and contact
If you have questions about data protection for Supplier Assessment, or wish to exercise data protection rights where applicable, please use the contact details provided in CyberAdviser’s Privacy Policy: cyberadviser.net/privacy-policy.
Disclaimer: This page is provided for transparency and information purposes and does not constitute legal advice.