Privacy Policy

1 - Data collected by elba & purposes of processing

In accordance with its subscription to the contract which binds us, Elba collects the following data:

Client's data

• Name, surname, email address of the contact
• Corporate name
• Public information (such as legal form of the company, registration number, address, share capital)
• Invoice contact

For this processing, elba must be qualified as controller of the data, provided that we determine the purposes and means of the processing of the data.

Data provided by the client in order for elba to be able to provide the phishing campaign survey report and deliver security awareness program

• Employee ID
• Gender
• Job title
• Email

For this processing, Elba must be qualified as processor, as we process data on Your behalf. Elba's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

2 - Our working environment

Elba offices are located in Vannes, Paris (France) and Tampa (United States).

The persons with access to the company premises are as follows

• Personnel duly authorized by Elba, subject to an employment contract or a traineeship agreement
• Any service providers for the strict performance of their mission, duly authorized by Elba, but not benefiting from any means of access, even temporary (badge) and accompanied by authorized staff in all circumstances
• Couriers and delivery personnel, if any, duly authorized by elba, but not benefiting from any means of access, even temporary (badge) and accompanied in all circumstances

The premises are accessible as follows

The entrance door is double locked (two digicodes), only managers and employees duly authorized by elba are given the 2 entry badges. The badges are non-reproducible. Elba employees are obliged to be equipped with an entry badge at all times. The badge is kept by the employee for the duration of the employment contract. At the end of the contract, it is returned to the management of elba. All access to data in critical technical areas by personnel has to be duly authorized by the founder of elba entry to the premises is controlled by a video surveillance system. The cameras operate 24 hours a day, 7 days a week and are located at the entrance to the premises.

3 - Data accesses & security

Elba has put into place all necessary technical and organizational appropriate measures in order to ensure the safety of the processing that is carried out within the framework of our contract and guarantee the protection of the rights of the persons concerned by the processing and meet the requirements of the applicable regulation.

Only the founder of elba has access to the solution on which the data is processed internally in order to provide the phishing report. Elba uses a unique identifier and password per application used. The identifiers are confidential and there are no shared accounts, identifiers or logins. Passwords are changed quarterly according to a specific procedure (complex passwords, numbers and punctuation). An automatic session locking mechanism (every 10 minutes) and the installation of a firewall are installed on our devices and computers. The internal WIFI has a password specifically dedicated to employees (subject to very strict confidentiality rules) and a different password specifically dedicated to guest users which can only be communicated to the latter (i) when necessary and (ii) by an employee duly authorized for this purpose. No passwords are posted on the company's premises.

We are subject to an obligation of confidentiality and discretion regarding the data to which we have specific access. We must ensure that the data to which we specifically have access cannot be read, duplicated, copied, modified or deleted without the appropriate authorization.

We have set up a system for the daily recording of the identifiers of employees and users on our solution, their connection times, the type of data consulted and the related references.The event logs are monitored every day in order to detect any anomalies. The logging policy includes the following elements: list of data collection sources, list of events to be logged by data sources, purpose of logging by event, frequency of collection and time base used.

Elba asks its clients to provide the data on a secured Google Drive which is only accessed by its founder. Furthermore, elba never prints data of any kind on paper.

4 - Our staff

Staff with access to the data is subject to a clause specifically aimed at the confidentiality of the data to which elba has given them access to for the execution of their mission. All elba staff members have been duly trained and informed of the provisions of the applicable regulation and its consequences. Each new employee also receives a training course on the subject.

Any violation of the obligation of confidentiality to which it is subject and/or of the procedures imposed by elba will lead to a sanction of the employee at the origin of the fault that may go as far as the withdrawal of his specific access rights and/or his dismissal - in compliance with the provisions of the legislation and regulation in force and depending on the degree of seriousness and the consequences.

The founder of elba has been appointed as security manager in charge of defining the procedure to be followed in the event of a data breach and possibly to evaluate the appropriateness and/or the obligation to notify the CNIL/persons concerned (if requested by the applicable regulation) by the breach.

He has also been appointed as manager of the rights of the concerned persons, and is therefore in charge of responding (if needed) and collaborating with the client on requests to exercise the rights of data subjects (right of access, rectification, deletion, limitation of processing, opposition, portability).

You can write to the founder at the following address: gdpr@elba.security

5 - Data retention

Subject to the mandatory preservation period of all data related to client’s files, which is five (5) years as of the end of the contractual relationship, the client’s identification data shall be retained by elba for a period that shall not exceed same period. In accordance with the applicable legislation, the accounting billing data is kept for a period of ten (10) years.

Elba hereby confirms that it deletes the data provided by the client within 2 years after it was provided to elba.

6 - Management of crisis situations

In case of violation of systems and databases, elba undertakes to take all useful precautions with regard to the nature of the data and the risks presented by the processing in order top reserve the security of the data.

To this end, elba has put into place an internal policy in the event of a real or supposed violation or attempted violation of data including all internal procedures and technical and organizational measures to ensure:

• That the means previously implemented by elba render it possible to avoid cases of data violation
• That all internal procedures put into place to ensure the communication of the mandatory instructions in a case of real or supposed data violation are properly informed (disconnection of the machine, machine maintained under power, live warning of the security manager, copy of the hard disk)
• In the event of an actual breach, that a detailed report is drawn up by the appointed teams, signed by the security manager (who is also the legal representative of elba),including the list of persons in charge of analyzing the breach, the successive stages of the analysis, the nature of the intrusion, the approximate number of people concerned by the breach, the probable consequences of the breach and the measures envisaged by elba to deal with and mitigate it.

In addition, a self-assessment is carried out, annexed to the violation analysis report, including the level of seriousness of the violation on the rights and freedoms of the persons concerned.

In the case where the violation entailed a risk for the rights and freedoms of the data subjects, a procedure for notifying the competent authority (for France: Commission Nationale de l’Informatique et des Libertés, the French “CNIL”) and the data subjects is provided in the internal violation policy.

These provisions, as well as the internal data violation policy is applicable to situations in which Elba is the data controller within the meaning of the regulation, but also in cases in which Elba is a processor within the meaning of the same regulation, it being specified that in the latter case Elba will provide its full collaboration to the data controller and undertakes to notify the existence of a violation immediately after its discovery and to document it according to the same procedure if required by the aforementioned regulation.

7 - Our data processors

Elba hereby informs the client that it employs the following subcontractors:

• Subcontractor: AWS ; Function: Data hosting; Privacy policy: AWS
• Subcontractor: EU Customers ; Function: Data hosting ; Privacy policy: AWS - Frankfurt
• Subcontractor: US Customers ; Function: Data hosting ; Privacy policy: AWS - North Virginia

Elba informs its client that it has only employed subcontractors who have put in place all technical and organizational measures in order to respect the guarantees required by the applicable regulation.

8 - Data hosting and transfers

As described in the previous article, the client’s data as well as data provided by the client in order to provide the Report, as well as the Report itself are hosted on Google’s servers which are located in the European Union. Therefore, no data is subject to any transfer outside of the European Union area.

Elba also informs its clients that the only recipient of the data (clients’ data as well as data provided by the client) is elba and especially its founder (notwithstanding communication to the public competent authorities if required by regulation and the host of the data).

9 - Google API Data Usage

elba integrates with Google Workspace services to provide security monitoring and access management capabilities. This section details how we handle data received through Google APIs.

Data Collection and Usage

When you connect your Google Workspace account, elba may access:

• User account information (names, email addresses, organizational units)
• Google Drive file metadata (sharing settings, ownership, access logs)
• Google Workspace administrator settings and configurations
• Directory information and group memberships
• OAuth application access and permissions

This data is used exclusively to:

• Monitor and manage file sharing permissions
• Conduct security audits and access reviews
• Detect potential security risks
• Generate security reports and analytics
• Automate security policy enforcement
• Maintain compliance with security frameworks

Data Protection and Limitations

In accordance with Google API Services User Data Policy and Limited Use requirements:

1. Limited Usage: We only access and use Google user data to provide and improve our core security and compliance features. This data is never used for:
   • Advertising purposes
   • Marketing campaigns
   • Resale to third parties
   • Public disclosure without explicit user consent
2. Data Transfer: Google user data is only transferred:
   • Between elba's secure systems necessary for service operation
   • To the customer's authorized systems as part of our service features
   • As required by applicable law, with notice to the customer when legally permitted
3. Data Retention: Google user data is retained only for the duration necessary to provide our services:
   • Active customer accounts: Data is retained as needed for ongoing security monitoring
   • Terminated accounts: Data is deleted within 60 days of service termination
   • Audit logs: Retained according to compliance requirements (maximum 2 years)
4. User Controls: Customers can:
   • Review and modify Google service access permissions
   • Request data export in standard formats
   • Request complete deletion of their Google data
   • Revoke access to Google services at any time
5. Security Measures: Google user data is protected using:
   • Enterprise-grade encryption in transit and at rest
   • Secure AWS infrastructure:
   • EU customers: Data hosted in AWS Frankfurt region
   • US customers: Data hosted in AWS North Virginia region
   • Role-based access controls
   • Regular security audits and monitoring

10 - Data deletion requests

Elba respects the privacy and control of users over their personal data. In compliance with applicable regulations and Slack Marketplace guidelines, we offer users and customers a straightforward process to request the deletion of their data.

Who can request deletion
Data deletion requests may be initiated by:

• End users whose data has been collected via Elba’s integrations (e.g., Slack, Google Workspace)
• Workspace administrators acting on behalf of their organization

What data can be deleted
Depending on the context of your relationship with Elba, the following types of data may be eligible for deletion:

• User account data (e.g., name, email, job title)
• Application usage logs
• Security scan metadata or reports
• Google Workspace or Slack-derived user data (e.g., file metadata, access logs)
• Any other personal data that Elba processes as a data processor or data controller

How to tequest data deletion
To request deletion of your personal data, please email us at gdpr@elba.security with the subject line:
Data Deletion Request – [Your Workspace/Company Name]

Include the following:

• Your full name
• Your email address
• If applicable, your Slack Workspace ID or Google Workspace domain
• Description of the data you would like deleted
• Whether the request is being made on behalf of an individual or an organization

We may ask for additional information to verify your identity or authority to make the request.

Processing Timeline

• Requests are acknowledged within 5 business days
• Data is deleted within 30 days of verification
• Confirmation of deletion will be provided to the requestor

Slack User Data Specifics
If your organization uses our Slack app, and you request deletion of data we’ve accessed via Slack APIs:

• Elba will delete all data collected about the user or workspace upon verified request, including Slack user IDs, message metadata (if any), and access records
• Elba will also delete any user data stored in its systems that originated from Slack within 30 days of a verified deletion request

Data Retention Exceptions
Certain data may be retained if required by law or for legitimate business purposes, such as:

• Billing and accounting records (retained for up to 10 years as required by law)
• System audit logs retained in accordance with compliance obligations (maximum of 2 years)
• Backups that are securely stored and will be purged as part of our regular backup rotation schedule

Revoking App Access
In addition to contacting us, users may also remove the Elba app from their Slack or Google Workspace environment, which will revoke all future access to their data.

Contact us

For any further information, please contact us at: gdpr@elba.security.