SoSafe named a Strong Performer in The Forrester Wave™: Human Risk Management Solutions, Q3 2024. Learn more.

Privacy Policy

Last updated: 12/08/2024

We appreciate your visit to our website. Protecting your privacy is very important to us and we want you to feel safe on our website. 

This privacy policy applies to all website visitors, applicants, interested parties and customers whose personal data is provided to us in connection with a website visit, a job application (via the website or otherwise) or the implementation or initiation of a business relationship, as well as to all users of our awareness building services, insofar as we process personal data processed there for our own purposes. We are the controller in relation to the processing of the personal data listed in this Privacy Policy. 

The aforementioned personal data is information that relates to an identified or identifiable natural person (hereinafter “data subject“). This includes in particular your name and e-mail address, but also data about your use of our website (e.g. your IP address), information in your CV, etc.. 

Below, we inform you about the nature, scope and purpose of the personal data we process and inform you about your rights as a data subject. 

1. name and address of the data controller 

The responsible party within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is: 

SoSafe GmbH 
Lichtstr. 25a  
50825 Cologne  
Germany  
Managing Directors: Dr. Niklas Hellemann, Lukas Schaefer, Felix Schürholz, Felix Fichtl
E-Mail: info(at)sosafe.de
Phone: +49 221 6508 3800 

2. name and address of the data protection officer 

The data protection officer of the controller is 

Mr. Sebastian Herting 
Herting Oberbeck Datenschutz GmbH
Hallerstraße 76
20146 Hamburg
Germany  
Landline: +49 40 226 34 56 0
E-Mail: dpo(at)sosafe.de

Scale your security culture

Start demo

Learn how our platform can help you empower your team to continuously avert cyber threats and keep your organization secure.

a. Website visit for informational purposes 

If you visit our website for informational purposes only, without actively providing personal data yourself, we only store access data in so-called server log files. This includes 

  • the name of the requested file, 
  • Date and time of retrieval, 
  • volume of data transferred, 
  • browser used, 
  • operating system used, 
  • IP address, 
  • requested URL, 
  • Referrer URL (URL you visited immediately before) and 
  • the requesting provider. 

The legal basis for the processing of this personal data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to enable you to access our website. 

The personal data listed are automatically collected by our IT systems when you visit our website. Without processing the personal data (in particular the IP address) for the duration of the session, the website may not be able to be displayed  or only to a limited extent. 

b. Contact 

On our website we provide information that enables a quick electronic contact to us as well as an immediate communication with us. This includes in particular our contact forms. If you contact us by email or contact form, the personal data you provide will be stored automatically. 

In addition, we also provide contact options via a contact field and message (via the social media presence) on various social media presences, as listed in more detail in section 5. 

In doing so, we generally process the following personal data from you: 

  • First and last name, 
  • Email address, 
  • Company/Employer, 
  • Phone number,
  • personal data contained in the individual cover letter and
  • IP Address

We use the personal data you provide exclusively for processing your specific inquiry. Your information may be stored in a customer relationship management system (so-called CRM system) or another organizational tool for customer data.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case when the respective conversation with you has ended or a concluded contract is terminated and the data is no longer required.

Additionally, we collect and process your IP address to identify misuse and prevent fake requests. This measure also helps us improve our sales efficacy and advertising efforts.

The legal basis depends in this respect on the information that you provide to us when contacting us in the course of sending an email, the contact form or a message. If the contact is aimed at the conclusion of a contract, the legal basis for the processing is Art. 6 para. 1 lit. b GDPR. If contact is made for other purposes, the legal basis is Art. 6 para. 1 lit. f GDPR.

c. Job application 

The processing of certain personal data is also unavoidable to be able to carry out an application procedure. We process the following personal data in connection with a job application, which can be made via the applicant portal , via a social media presence, by e-mail or by post, until a decision is made on your application: 

Personal information includes in particular 

  • Name, 
  • Title, 
  • private contact data (e-mail addresses, telephone numbers, postal address), 
  • Gender, 
  • Date and place of birth, 
  • Marital status, 
  • Number of children, 
  • Driving license information and 
  • Disability Status. 

Specialized information also includes 

  • Resume, 
  • Letter of Recommendation, 
  • Cover letter, 
  • Work Authorization Ticket, 
  • Previous employments, 
  • Training History, 
  • Languages spoken, 
  • Skills relevant to the job, as well as 
  • Testimonials and the like. 

The aforementioned personal data are required for the selection of suitable employees, the notification of the decision on an application, the coordination of the application process (e.g. personal interview) and for the establishment of an employment relationship. 

The legal basis for this processing of personal data is Section 26 (1) sentence 1 BDSG. 

We collect the aforementioned personal data directly from you as an applicant during the application and recruitment process. If your application is unsuccessful, your data will be deleted 180 days after the end of the recruitment process if you haven’t expressly consented to a longer storage period. Your personal will be stored for an additional period of six months in case you give SoSafe your consent for this storage.

We use Ashby, Inc., a cloud services provider located in the United States of America to help manage our recruitment and hiring process as a processor on our behalf.

For certain positions within our company, namely such positions with access to sensitive financial information, positions in IT Security, VP’s and Board members, we conduct specific and role-based pre-employment screenings to assess the suitability of those applicants and to verify the information provided by the applicant. These checks may include the verification of references, qualifications, criminal records, credit checks, global sanctions and other job-related information, where legally permitted.

We engage an external service provider to conduct these screenings. This service provider processes the data collected during the pre-employment screening strictly in accordance with our instructions and in compliance with the data protection regulations of the GDPR.

The data processed during the screening is treated confidentially and used solely for the purpose of deciding on your potential employment in a non-automated case-by-case decision. The legal basis for processing your personal data in this context is Article 6(1)(b) GDPR (performance of pre-contractual measures) and our overriding legitimate interests regarding to Article 6(1)(f) GDPR, which includes our interests in functioning IT Security.

d. Data collection and use for contract processing 

In order to initiate or execute the contractual relationship with you, the processing of certain personal data is unavoidable. In connection with the execution of the contract, including any registration within the scope of our awareness building services, we process the following personal data in particular 

  • Name, 
  • Company name, 
  • Business address, 
  • E-mail address, 
  • Phone number and 
  • documents or texts submitted by you that contain personal data 

and all data necessary for the processing of payments and for the prevention of fraud, in particular 

  • Credit card or debit card numbers, 
  • any security codes and 
  • other billing information. 

Insofar as we use this personal data (i) to coordinate the planning, execution, control and administration of your contractual relationship with us, (ii) to provide you with information about your registration or how to make changes in our system or (iii) to carry out payment transactions, the legal basis for these processing operations is Art. 6 (1) lit. b GDPR. 

If, on the other hand, the personal data is used for the settlement of disputes, the enforcement of the contractual agreement and the establishment, exercise or defense of legal claims, the legal basis for this processing is Art. 6 para. 1 lit. b or f GDPR, depending on the claims. 

If you have submitted your data for the purpose of initiating a contractual relationship, we may pass it on to our sales partners if they are suitable for your segment. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR 

We collect personal data in connection with the performance of the contract directly from you by you providing the personal data yourself when ordering/registering, whether via the self-service portal at https://app.sosafe.de/ or by other means. 

After complete processing of the contract, your data will be blocked for further use and deleted after expiry of the statutory retention periods, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you below. 

e. Newsletter 

Furthermore, we process your personal data when you register for our newsletter. 

To send our newsletter, we use the service provider HubSpot, which is operated by HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland. We have concluded a data processing agreement with HubPpot, which obliges HubSpot to protect your data, to process it on our behalf in accordance with this privacy policy and not to pass it on to third parties. Your data will be stored on the servers of HubSpot. 

To register, you must provide us with your email address. You can voluntarily provide us with additional information, such as your name. The registration takes place via a double opt-in process. After registration, you will receive an email from us in which you must confirm the registration. This entire process is documented and stored. This includes both the storage of the registration and the confirmation time, as well as your IP address. 

The legal basis for the processing of personal data in connection with the sending of the newsletter is Art. 6 para. 1 lit. a GDPR. 

You can revoke your consent to the processing of your personal data in connection with the sending of the newsletter at any time by cancelling the newsletter. For this purpose, please use the provided link at the end of the newsletter to cancel. The legality of the data processing operations already carried out remains unaffected by the revocation. 

f. Demo mail dispatch 

Personal data is also processed when you sign up for a demo mailing to test the suitability of our services for your business. 

For sending the demo mails as part of our demo (at demo.sosafe.de), but not for our phishing simulations as part of a commission, we use the services of SendGrid, Inc, 1801 California Street, Suite 500, Denver, CO 80202, USA. Cookies and web beacons (tracking pixels) are used within the emails sent by SendGrid when performing the demo mailing. With the help of SendGrid, we analyze the sending of the demo emails. The analysis is used exclusively for the statistical analysis of the messages as well as for the preparation of the evaluation of the demo mail dispatch. The personal data is transferred to the SendGrid server in the USA. Government agencies in the USA may also have access to this personal data. We have concluded the standard contractual clauses adopted by the European Commission with SendGrid in order to ensure the level of data protection of the GDPR in the USA as well. 

For demo mailings we process the following registration data 

  • Salutation, 
  • Name, 
  • E-mail address. 

As well as the following analysis data 

  • a message was opened, 
  • which links, if any, were clicked on and 
  • Time of retrieval, IP address, browser type and operating system. 

The data processing is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR. 

You can revoke your consent to the processing of your personal data in connection with the demo mailings at any time by cancelling the demo mailings (by email to support@sosafe.de). The legality of the data processing operations already carried out remains unaffected by the revocation. 

Without the corresponding processing of the personal data, the demo mail dispatch may not be provided or may only be provided to a limited extent. 

g. Feedback surveys 

In addition, personal data is processed when users (employees of our customers) provide personal data in the feedback surveys which also might be included in our awareness building services.

On the educational pages associated with our simulated phishing e-mails (links start in each case with https://learning.sosafe.de/…) as well as within the eLearning platform (at https://elearning.sosafe.de), we offer you (as a user) the opportunity to leave us feedback, praise or criticism. The rating you enter (on a scale of 1-5) as well as the optional free text will be made available to your employer, on the one hand, to give him an overview of the feedback from the workforce on the IT security training offered and, on the other hand, will be used by us to improve our services. Therefore, if you provide identification features in the free text or leave your e-mail address for queries regarding your feedback (not reported to employer), this personal data will be processed by us for the aforementioned purpose.

In addition, an evaluation score and comment can also be submitted per eLearning module. These ratings are stored together with your eLearning account on a personal basis.

In addition, we may add links to feedback forms in connection with our Phishing Report Button. These feedback forms are provided by Microsoft, our sub processor, on servers in the EU. Data will be only transmitted if you add and submit data in these forms. We solely use such data for the purposes mentioned in the respective feedback form.

In addition, we may provide surveys via other resources (e.g., our customer newsletter) on various topics, which will help us to improve our services and gain insights to our customers’ needs.

The legal basis for the processing of this personal data by us, regarding all surveys, is your consent (Art. 6 para. 1 lit. a GDPR) which can be revoked at any time via our contact options.

Furthermore, in the context of providing our contractual services to you, we may suggest that you provide feedback on your experience using our services through third-party tools by providing you with links to such third-party provider. Please note that your provision of feedback on the third-party platform will be subject to the respective terms and conditions of the third-party provider to whom we are not affiliated.

The legal basis for the processing of your personal data for the purposes of suggesting these third-party feedback invitations is Art. 6 para. 1 lit. f GDPR.

The feedback itself given through third-party providers will also be used by us to improve our services.

For the other processing of personal data that we perform when providing our services under a contract with a customer (e.g., your employer), the respective customer is the sole controller with respect to the personal data involved in such processing. This Privacy Policy does not apply to such processing of personal data where we process personal data only in the role of a processor on behalf of such customer.

h. Interviews for product research and development 

Users of our Awareness Building Services may voluntarily participate in interviews. We use the data collected during interviews for internal purposes to further improve our products and services. We may aggregate the results grouped with other participants’ responses to share interview results SoSafe internally. Video recordings and/or transcriptions are only made if you have consented to them. We delete video recordings after 12 months and all other personal interview data after two (2) years.

The legal basis for storing data in the context of videos is your consent pursuant to Art. 6 (1) lit. a GDPR.

i. Google Ads Lead Form Extensions 

We use the Google Ads lead form extension service to give you the opportunity to contact us directly via our ads placed on Google Ads. If you provide personal data, this will be stored by Google for 30 days.  
The legal basis here is primarily your consent pursuant to Art. 6 (1) lit. a GDPR. If your contact is aimed at concluding a contract, the legal basis for the processing is Art. 6 (1) lit. b GDPR. 

j. Human Firewall Conference 

You have the opportunity to register for our Human Firewall Conference. The conference will take place both on-site and online as a webinar. The following information is required for registration:

  • E-mail address
  • First name
  • Last name
  • Company name
  • Job title
  • Company size

This information is required in order to offer you the opportunity to network with other people during the conference.

As part of the registration process, you will be asked to indicate whether you would like to participate on site or as part of the webinar.

We use the networking platform talque, Real Life Interaction GmbH, Choriner Str. 3, 10119 Berlin, to conduct the webinar. Only if you have decided to participate in the webinar will we pass on the data generated during registration to talque. You will then receive an email with a personal invitation link. The legal basis for this is Art. 6 para. 1 sentence 1 lit. b) GDPR. The processing of the data by talque takes place on the basis of a concluded order processing contract in accordance with Art. 28 GDPR.

k. Recordings of meetings

Personal data is processed when you participate in meetings that are organized and recorded by the SoSafe Sales department.

We use the service provider Clari CoPilot, which is operated by Clari, Inc, 1154 Sonora Court, Sunnyvale, CA 94086, USA to record the meetings, to take notes during the meeting, to summarize the meeting and to train employees. We have concluded a data processing agreement with Clari, which obliges Clari to protect your data and to process it on our behalf in accordance with this privacy policy. Your personal data will be transferred to the servers of Clari in the USA. Clari is an active participant in the EU – U.S. Data Privacy Framework which means it has reliable mechanisms in place for personal data transfers from the European Union to the United States. On top of this we have concluded the standard contractual clauses adopted by the European Commission with Clari in order to ensure the level of data protection of the GDPR in the USA as well.

For the recordings of the sales meetings we process the following personal data:

  • First and last name,
  • Job title,
  • Employer,
  • Contact data (company, email address, phone number, physical business address),
  • Login credentials,
  • Communications and calendar information (including emails, business meeting information),
  • Technical usage and telecommunications data (including IP addresses of devices used to access Clari CoPilot),
  • Sensory (audio) data (including call recordings, and transcriptions and analyses thereof).

The legal basis for the processing of personal data in connection with the recordings of sales meetings is Art. 6 para. 1 lit. a GDPR.

You can revoke your consent to the processing of your personal data in connection with the recordings of the sales meetings at any time by sending an email to privacy@sosafe.de to inform SoSafe about your revocation of your consent. The legality of the data processing operations already carried out remains unaffected by the revocation.

l. Dangerlab

When you use our “Dangerlab” function, we process personal data to simulate the chosen vishing or smishing attack simulation. After you provide your LinkedIn profile URL, we collect information from your profile, such as your name, job title, and contact details. SoSafe transfers and processes the personal data to or through third party service providers and its subcontractors, which are based in countries that may not have a statutory level of data protection that is considered ‘adequate’ under EU data protection laws. ChatGPT (provided by OpenAI Ireland Ltd, Ireland) generates a phishing attack script. The script, containing your personal data, is sent to Eleven Labs, Inc., USA, for voice synthesis. Twilio Ireland Limited, Ireland, uses the voice imitation to initiate an automated call to the phone number associated with your LinkedIn profile.

In addition to processing your data for the chosen vishing or smishing attack simulation, we process and store your personal contact data so that SoSafe may contact you regarding our products and services. More information about this processing can be found in paragraph 3.b. of this Privacy Policy.

The legal basis for processing personal data in connection with the Dangerlab function and for the described marketing purposes is Art. 6 para. 1 lit. a GDPR (consent). You can withdraw your consent at any time by contacting us at privacy@sosafe.de. The legality of prior data processing remains unaffected.

We store your personal data as long as necessary for the fulfilment of the processing purposes. The attack script as well as your voice synthesis and the voice imitation will be deleted after the completion of the simulated attack.

4. use of cookies 

In order to make visiting our website more attractive and to enable the use of certain functions, we use so-called “cookies” on our website. These are small text files that are stored on your terminal device. 

Cookies allow us, for example, to track and determine your preferences and to identify you individually during a visit to our website. After the end of the browser session, most of the cookies we use are deleted again (“session cookies”). The permanent cookies (“persistent cookies”), on the other hand, remain on your terminal device and thus enable us, for example, to recognize you on your next visit or to analyze your usage behavior. You can revoke your consent at any time with effect for the future here:

a. Use of necessary cookies 

The purpose of using technically necessary cookies is to simplify the use of our websites for you. Some functions of our website cannot be offered without the use of these cookies. For these, it is partly necessary that your browser is recognized even after a page change. In case of non-acceptance or deactivation of cookies, the functionality of our website may be limited. 

In these purposes also lies our legitimate interest in the processing of personal data for this purpose according to Art. 6 para. 1 lit. f GDPR. 

b. Use of cookies for analysis purposes and online marketing 

In this section, we inform you which services of technology partners we use for reach measurement and online marketing purposes. Insofar as no anonymous or anonymized data is processed or we do not obtain your prior consent in the context of the use of cookie management (Art. 6(1)(a), Art. 7 GDPR), their use is based on our legitimate interest (Art. 6(1)(f) GDPR) in increasing user-friendliness and for the optimization and more targeted control of our offer. 

Insofar as you have given your consent to the processing, you can revoke this at any time via the settings in our cookie management. If processing is based on our legitimate interest, you generally have the option to object (opt-out). If no explicit opt-out option of the respective service provider used by us has been specified below, it is possible for you to disable cookies in the settings of your browser. However, this may restrict functions of our online offer. Alternatively or additionally, you can also use the following general opt-out options: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territory: https://optout.aboutads.info

In all cases, the categories of data processed include usage data and metadata. Reach measurement and online marketing are carried out in particular on the basis of cookie and web beacon technology. Special categories of data are not processed in this context.

Unless otherwise stated, the deletion of data is determined in accordance with the privacy statements of the technology partners. 

Google Tag Manager 

Google Tag Manager is a solution that allows us to manage so-called website tags via an interface (and thus, for example, integrate Matomo and other marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any user data. With regard to the processing of users’ data, please refer to the following information on Google services. 

Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Privacy policy of the service provider: https://policies.google.com/privacy; Within the scope of this service, a data transfer to a third country, i.e. a country outside the European Union or the European Economic Area, takes place or such a transfer cannot be excluded. Guarantee in case of processing in third countries: EU standard contractual clauses https://privacy.google.com/businesses/processorterms/

Matomo

On this website, we use Matomo for the purposes of traffic analysis, session recording, measuring form/media interactions and A/B tests. For this, we process the following data: Date and time, title of the page being viewed, URL of the page being viewed, URL of the page that was viewed prior to the current page, screen resolution, time in local timezone, files that were clicked and downloaded, link clicks to an outside domain, pages generation time, country, region, city, main language of the browser, user agent of the browser. This data is only processed by us for internal analysis of our website and not shared with any third parties.

Google Ads 

We use Google Ads to place ads on the websites of Google, Google partners and in the display network and to measure their success (conversion measurement). In doing so, we only receive an anonymous overall evaluation, but not information related to individual users. You have the option to use the following opt-out option of the service provider: https://adssettings.google.com/

Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy of the service provider: https://www.google.com/policies/privacy. Within the scope of this service, a data transfer to a third country, i.e. a country outside the European Union or the European Economic Area, takes place or such a transfer cannot be excluded. Guarantee for processing in third countries (USA): EU standard contractual clauses https://privacy.google.com/businesses/processorterms/ 

GDPR 

Facebook Pixels (Facebook Custom Audiences) 

The Facebook pixel is a solution for displaying interest-based advertisements to users of our website when they visit the Facebook social network or other websites that also use the method.  

Service provider: Facebook Inc, 1601 S California Ave, Palo Alto, California 94304, USA; https://www.facebook.com/policy.php; further information. for data collection: https://www.facebook.com/help/186325668085084 , https://www.facebook.com/about/privacy/your-info-on-other#applications and https://www.facebook.com/about/privacy/your-info#everyoneinfo

Twitter Ads 

We use the remarketing function of Twitter Inc. (“Twitter”) on our website. With the Twitter remarketing function, we can address you with advertising based on your interests on the Twitter platform. For this purpose, Twitter uses so-called “tags”. Via this tag, visits to our website as well as data on usage are recorded in pseudonymous, non-personal form. If you subsequently visit Twitter, you will be shown advertisements based on your interests. 

Service provider: Twitter International Company, One Cumberland Place, Fenian Street, D02 AX07 Dublin 2, Ireland. More information: https://support.twitter.com/articles/20171528, https://business.twitter.com/de/help/troubleshooting/how-twitter-ads-work.html

HubSpot 

We use HubSpot as an integrated marketing solution to unify our email marketing, social media publishing & reporting, reporting, contact management, and contact forms. 

Service Provider: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland More. Information: https://legal.hubspot.com/privacy-policy, https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser, https://knowledge.hubspot.com/account/hubspot-cookie-security-and-privacy

Microsoft Advertising / Bing

We use Microsoft Advertising / Bing to display interest-based advertisements to users of our website when they visit websites that are part of the Microsoft advertising network.

Service Provider: Microsoft Corporation, One Microsoft Way, Redmond, Washington, USA.

More information: https://about.ads.microsoft.com/en-us/resources/policies/microsoft-advertising-privacy-policy

Wonderkind

We use the services of Wonderkind on this website. Wonderkind helps us find talents through artificial intelligence. Wonderkind uses cookies to show relevant job advertisements to you. For more information about the use of cookies by Wonderkind and how Wonderkind processes your personal data, please visit: https://www.wonderkind.com/privacy-policy.

Service Provider: Wonderkind Global B.V., H.J.E. Wenckebachweg 123, 1096 AM Amsterdam.

More information: https://www.wonderkind.com/privacy-policy

Reddit

We use the Reddit Conversion Pixel on our website. This is an analysis tool from Reddit Inc, 548 Market St, San Francisco, CA 94104, USA (“Reddit”). With the help of this tool, we can track the behavior of visitors to our website after they have reached our website by clicking on a Reddit ad. This enables us to evaluate the effectiveness of Reddit ads for statistical and market research purposes and to optimize future advertising measures.

The data collected by the cookie is anonymous to us and does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by Reddit so that a connection to the respective user profile is possible and Reddit can use the data for its own advertising purposes in accordance with the Reddit Privacy Policy (https://www.redditinc.com/policies/privacy-policy).

Meta

We use the services of Meta, Inc, 1601 Willow Road, Menlo Park, CA 94025, USA (“Meta”) for conversion tracking and custom audiences on our website. Tracking is only used with your prior consent as part of our cookie banner. Conversion tracking enables us to measure the effectiveness of our online advertising by tracking what actions users take on our website after they have clicked on one of our Meta ads. Cookies or similar technologies are stored on your end device for conversion tracking.

We also use Meta’s Custom Audiences service to display personalized advertising. For this purpose, we upload our customers’ data (e.g. calculation from email addresses) to Meta in hashed or encrypted form. Meta compares these hashes with the hashes of Meta users in order to display our ads in a targeted manner.

The data collected by these services can be linked to your Meta profile if you are logged in to Meta. If you wish to avoid this link, you should log out of your Meta account before visiting our website. Further information on data collection and processing by Meta can be found in Meta’s privacy policy: Meta Privacy Policy.

To generally prevent the collection of your data by Meta services on our website, you can make the appropriate settings in your Meta account or use special browser plug-ins and extensions that prevent tracking.

Clearbit

We use Clearbit to enrich data relevant to our Marketing and Sales processes and an improved website experience.

Service provider: API Hub, Inc. dba Clearbit, 548 Market St. #95879, San Francisco, CA 94104. Privacy policy

Google Analytics 

We use Google Analytics provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland on our website. 

Google Analytics is a web analytics service that enables us to collect and analyse data about the behaviour of users on our website. Google Analytics enables us to measure interaction data from different devices and from different sessions. This allows us to contextualise individual user actions and analyse long-term relationships. 

Google Analytics uses cookies, which enable us to analyse the use of our website. Personal data in the form of IP addresses, device identifiers and information about interaction with our website is also processed. Some of this data is information that is stored on the device you are using. In addition, further information is stored on your device via the cookies used. Google Ireland will process the data collected in this way on our behalf in order to analyse the use of our website by users, to compile reports on the activities within our website and to provide us with further services associated with the use of our website. Pseudonymised user profiles can be created from the processed data. 

The setting of cookies and the further processing of personal data described here takes place with your consent. The legal basis for data processing in connection with the Google Analytics service is therefore Article 6(1)(a) GDPR. You can revoke this consent at any time via our Consent Management Tool with future effect. 

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users is shortened by Google Ireland within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. The IP address transmitted by the user’s browser is not merged with other data. The IP address is truncated on servers in the EU. The data on user actions is stored for a period of 14 months and then automatically deleted. Data whose storage period has expired is automatically deleted once a month.

Google Remarketing 

We also use the Google Analytics advertising functions (remarketing). This function enables us, in conjunction with Google’s cross-device functions, to display adverts in a more targeted manner and to present users with adverts tailored to their interests. Remarketing is used to show users adverts and products for which interest has been identified on other websites in the Google network. The function allows us to link advertising target groups created via Google Analytics Remarketing with the cross-device functions of Google Ads. In this way, interest-based, personalised advertising messages that have been adapted to a user depending on previous usage and surfing behaviour on one end device (e.g. mobile phone) can also be displayed on another end device of the user (e.g. tablet or PC). 

If you have given your consent, Google will link your web and app browsing history to your Google account for this purpose. In this way, the same personalised advertising messages can be displayed on every device on which you sign in with your Google account. The data collected in your Google account is summarised exclusively on the basis of your consent, which you can give or withdraw from Google. For these linked services, data is then collected for advertising purposes via Google Analytics. To support the remarketing function, Google Analytics collects the Google-authenticated IDs of users, which are temporarily linked to our Google Analytics data. This is used to define and create target groups for cross-device advertising. 

Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; privacy policy of the service provider: https://www.google.com/policies/privacy. Within the scope of this service, a data transfer to a third country, i.e. a country outside the European Union or the European Economic Area, takes place or such a transfer cannot be excluded. Guarantee for processing in third countries (USA): EU standard contractual clauses https://privacy.google.com/businesses/processorterms/ 

G2 

We use the G2 tracking pixel to gain insights into how SoSafe’s G2 product profile influences buyer behavior, including interactions with related category pages and competitor profiles. This tracking helps us understand the journey of visitors navigating between SoSafe’s G2 product profile, category pages, competitor profiles, and our website. When you, as a visitor, engage with these elements, we collect data including the specific pages visited, the time spent on each page, and firmographic details about you. This information enables us to tailor and enhance your browsing experience. 

Service provider: G2.com, Inc., 100 S. Wacker Drive, Suite 600, Chicago, Illinois 60606, USA. More information: https://documentation.g2.com/docs/track-your-prospects, https://legal.g2.com/privacy-policy

Leadfeeder 

We use Leadfeeder to gain insights into how companies and, occasionally, identified individuals from those companies interact with our website. This tracking tool collects data that helps us understand the business and personal engagement of visitors. The data includes the company name associated with the visitor’s IP address, identifiable information about individual visitors when available, the pages visited, the duration of those visits, and the source of the visit. This information enhances our understanding of visitor behavior and enables us to tailor and improve our marketing and sales strategies based on detailed insights into our website traffic. 

Service provider: Dealfront Group GmbH, Durlacher Allee 73, D-76131 Karlsruhe, Germany. More information: https://www.leadfeeder.com/privacy/ 

CHEQ

We use CHEQ-cookies on our website in conjunction with the “CHEQ Acquisition” service to improve the functionality and enhance the user experience of our site, to understand how our website is used and measure the effectiveness of our marketing campaigns and to identify and eliminate bots and invalid traffic from our paid campaigns, audiences, and re-marketing efforts across 15+ platforms. In addition to cookies, we collect IP addresses to detect and block bots and invalid traffic from accessing our paid campaigns and website, to monitor IP addresses for security purposes and protect against malicious activities and to use IP addresses to understand the geographical distribution of our website visitors, helping us tailor our services and content.

The collection and processing of IP addresses are done in accordance with GDPR guidelines to ensure your data privacy.

Service provider: CHEQ AI Technologies Ltd, 23 Yehuda Halevy, Tel Aviv-Jaffa 6513601, Israel. More information: https://cheq.ai/privacy-policy/

Outbrain

We use Outbrain to provide personalized content recommendations and targeted advertisements based on user interests. This helps us understand how visitors engage with our website and related content. When you interact with our site, we collect data on pages visited, time spent on each page, and interactions with content and ads. This information helps us tailor and enhance your browsing experience.

Service Provider: Outbrain Inc., 39 W 13th St, New York, NY 10011, USA. More information: https://www.outbrain.com/privacy/

XING

We use the XING Conversion Pixel on our website. This is an analysis tool from New Work SE, Am Strandkai 1, 20457 Hamburg, Germany (“XING”). With the help of this tool, we can track the behavior of visitors to our website after they have reached our website by clicking on a XING ad. This enables us to evaluate the effectiveness of XING ads for statistical and market research purposes and to optimize future advertising measures.

The data collected by the cookie is anonymous to us and does not allow us to draw any conclusions about the identity of the user. However, the data is stored and processed by XING so that a connection to the respective user profile is possible and XING can use the data for its own advertising purposes in accordance with the XING Privacy Policy.

5. social media 

In addition to this website, we also maintain presences on various social media providers (see the social media providers listed under 5. b.) in order to communicate with the customers, interested parties and applicants active there and to be able to inform them about our services and open job positions. 

a. Icons on our website 

In this context, only simple links are used on this website https://sosafe-awareness.com/de/ for the icons, which do not establish a connection to the respective social media presence when the website is loaded. This distinguishes the social media links used here from the widespread “like” buttons, which already transmit data to the social media providers when the website is loaded, without the button having to be clicked. 

b. Processing of your data when visiting the website of the social media providers 

Insofar as you visit such a social media presence of ours by clicking on the link or directly, your personal data will only be processed by us there to the extent determined under 3. b. and c. above. 

In addition, however, your personal data will also be transmitted to the provider of the social media platform on the website of the social media provider. It is possible that in addition to the storage of the data specifically entered by you on this social media platform, further information is also collected, processed or used by the social media provider. If you are logged in with your personal user account of the respective network while visiting such a social media platform, the social media platform can assign the visit to your account. If you do not wish such an assignment, you must log out of your account and delete the cookies before visiting our social media presence. 

We are not able to track which specific data is processed by the social media providers. For more information on the purpose and scope of the data collection there and on the further processing and use of your data, please refer to the privacy policy of the respective social media provider: 

Facebook 

Facebook is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. 

Privacy Policy: https://www.facebook.com/about/privacy/ 

Opt-Out: https://www.facebook.com/settings?tab=ads 

Twitter 

Twitter is operated by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. 

Privacy Policy: https://twitter.com/de/privacy 

Opt-Out: https://twitter.com/personalization 

LinkedIn 

LinkedIn is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland. 

Privacy Policy:https://www.linkedin.com/legal/privacy-policy 

Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out 

Xing 

Xing is operated by New Work SE, Dammtorstraße 29-32, 20354 Hamburg, Germany. 

Privacy policy and opt-out: https://privacy.xing.com/de/datenschutzerklaerung 

c. Offline conversions tracking

We are sending data regarding leads that turn into opportunities and customers to LinkedIn. This helps us measure results and optimise ad campaigns outside of our website (on LinkedIn website). In order to achieve this, we upload offline conversions to the Campaign Manager provided by LinkedIn, we create an offline conversion event and then we link the offline conversions to specific campaigns. In this context, in addition to the data specified in sec. 3b above, the following personal data is processed: title, country and lifecycle stage data. Email addresses are hashed using SHA256. Offline conversion data that we upload is stored in LinkedIn’s servers in the United States.

The legal basis for the processing of this personal data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is ad relevance optimisation and aggregate reporting on ad conversions.

Offline conversion data will be retained for 180 days, then it will be automatically deleted. The only data that persists is the aggregate conversion reporting in the Campaign Manager. 

LinkedIn 

LinkedIn is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland. 

Privacy Policy:https://www.linkedin.com/legal/privacy-policy 

Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out 

Scale your security culture

Start demo

Learn how our platform can help you empower your team to continuously avert cyber threats and keep your organization secure.

6. integrated contents and services of third parties 

We partly integrate third-party content on our website, such as YouTube and Vimeo videos, maps from Google Maps or graphics from other websites. 

This content is integrated in “extended data protection mode”, which means that no data about you as a user is transmitted if you do not play or click on the content. Only if you agree to the data transmission and play or click on the content, the data mentioned in the next paragraph will be transmitted. We have no influence on this data transmission. The legal basis for the processing of data after your consent is Art. 6 para. 1 lit. a GDPR. 

a. Third party graphics 

In the case of graphics from other websites, the transmission of your IP address to the third-party provider is necessary to display this content. Unfortunately, we have no influence on whether the third-party provider collects or stores the IP address for other purposes beyond the mere display of the content. If we become aware of such use, we will inform you about it in this privacy policy. 

b. Videos: Wistia 

We have integrated the media player from Wistia (Wistia, Inc., 17 Tudor Street, Cambridge, MA 02139, USA) on our website to integrate external video content. In doing so, we use the privacy mode. This means that no personal data is collected without your explicit consent – not even when playing the video. In privacy mode, only anonymized IP addresses and data for viewing a video is collected.

If you allow individual tracking by Wistia when watching the video by allowing this in the cookie banner, Wistia collects the IP address and can thus assign the viewing of a video to a visitor.

Find more privacy information about the video player function in Wistia’s privacy mode at: https://wistia.com/support/developers/player-privacy-mode and about data processing in general at: https://wistia.com/privacy.

c. Google Maps 

By clicking on the Google Maps map on our website, Google (Google Maps is a service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA) receives the information that you have accessed the corresponding subpage of our website. In addition, the data collected during the informational visit to our website is transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want the assignment with your profile at Google, you must log out before activating the map. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) for the provision of needs-based advertising. For more information on the purpose and scope of data collection and processing by Google, please refer to Google’s privacy policy. There you will also find further information on your rights and setting options for protecting your privacy: https://policies.google.com/privacy?hl=de&gl=de

You can terminate this consent at any time by clicking the following button. The legality of the data processing operations already carried out remains unaffected by the revocation. 

d. reCAPTCHA 

With reCAPTCHA (provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). it should be checked whether the data input on our websites (e.g. in the demo form) is done by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google. 

The data processing is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in protecting our web offers from abusive automated queries. 

For more information about Google reCAPTCHA and Google’s privacy policy, please see the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/android.html

e. Cvent 

You can register to the Human Firewall Conference on our website. When you register for and participate in the Human Firewall Conference, we will process your personal data collected as part of the registration process and in connection with your participation in the respective event for the purpose of processing your registration and providing for your participation in the event.

As part of the registration and participation in the Human Firewall Conference, we will send information by email to the contact details you provided.

Legal basis for this is Art. 6 para. 1 lit. b GDPR, i.e. the fulfillment of the contract for participation in the respective event or the implementation of pre-contractual measures, which are carried out at your request.

We use the service provider Cvent Deutschland GmbH, Maximilianstr. 54, 80538 München, Germany, for event registrations and event management. Please find detailed information on data processing and data protection at Cvent in the Cvent privacy policy under the following link: https://www.cvent.com/en/privacy-policy.

7. data deletion and storage period 

Unless otherwise specified in the individual sections, the stored personal data will be deleted if you revoke your consent to storage or if knowledge of this data is no longer required to fulfill the purpose for which it was stored. Furthermore, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. 

We regularly check whether the purpose for which the data was stored is still valid and delete your data immediately if this is no longer the case. However, with regard to the relevant data, the deletion will only take place after the expiry of the deadlines of the tax and commercial law regulations. 

8. disclosure of personal data and recipients 

We will not disclose personal data without your express consent, unless there is a legal reason for permission, e.g. if we are legally obliged to disclose data (information to law enforcement agencies and courts; information to public bodies that receive data based on legal regulations, e.g. social insurance agencies, tax authorities, etc.) or if we involve third parties bound to professional secrecy to enforce our claims. We share your personal data with the following recipients: 

  • We use processors to process personal data for the above-mentioned purposes, who process the personal data on our behalf. We always retain control over the respective personal data and remain the data controller. 
  • For payment processing in the course of orders, we transmit payment details to banks and payment service providers if required by the payment method. 
  • We transmit personal data in individual cases to courts, law enforcement agencies, supervisory authorities, other authorities, tax advisors and lawyers, insofar as this is legally permissible and necessary. 

9. automated decision making 

We will not use your personal data to make automated decisions (including profiling) concerning you that have legal effect on you or similarly significantly affect you. 

10. your rights 

You have the following rights. 

a. Right to information 

Pursuant to Art. 15 GDPR, you have the right to request information about your personal data stored by us free of charge. This also allows you to obtain a copy of the personal data we process about you and to verify whether we are processing it in a lawful manner. 

b. Right to rectification 

In the event of incorrect data, you have the right to rectification in accordance with Art. 16 GDPR. We are obliged to make the correction without delay. 

c. Right to restriction of processing 

You have the right under Article 18 of the GDPR to request that we restrict processing. This allows you to request the suspension of the processing of your personal information, for example, if you want us to determine its accuracy or the basis for processing. 

d. Right to deletion 

Pursuant to Art. 17 GDPR, you have the right to demand that we delete the personal data concerning you without undue delay if the data is no longer required for the purposes for which it was collected or, if the processing is based on your consent, you have revoked your consent. In this case, we must stop processing your personal data and remove it from our IT systems and databases. A right to deletion does not exist insofar as 

  • the personal data may not be deleted due to a legal obligation or must be processed due to a legal obligation; or 
  • the data processing is necessary for the assertion, exercise or defense of legal claims. 
e. Right to data portability 

Pursuant to Art. 20 GDPR, you have the right under certain circumstances to have the personal data concerning you, which you have provided to us, transferred to another controller in a structured, common and machine-readable format. 

f. Right of objection 

You have the right to object to the processing of your personal data insofar as the processing is based on our legitimate interests (or those of a third party) and there are grounds arising from your particular situation on the basis of which you wish to object to the processing on said basis. In particular, you have the right to object if we process your data for direct marketing purposes. 

g. Right to revoke consent under data protection law 

You have the right to revoke your consent to the processing of personal data at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. 

h. Right to complain to a supervisory authority 

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR. 

The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR. 

11. contact 

If you have any questions about the collection, processing or use of your personal data, for information, correction, blocking or deletion of data or general questions and suggestions on the subject of data protection, please contact us directly: 

SoSafe GmbH 
Lichtstr. 25a  
50825 Cologne  
E-Mail: info(at)sosafe.de

The appointed data protection officer is: Mr. Sebastian Herting, External Data Protection Officer, can be reached at dpo(at)sosafe.de. 

Managing Directors: Dr. Niklas Hellemann, Lukas Schaefer, Felix Schürholz 

Commercial register: HRB96220, Cologne Local Court 

Status: January 2023

Mandatory information according to Article 13 GDPR 

In the event of initial contact, we are obliged pursuant to Art. 12, 13 GDPR to provide you with the following mandatory data protection information:  
If you contact us by e-mail, we will only process your personal data if there is a legitimate interest in the processing (Art. 6 ( 
1) (f) GDPR), you have consented to the data processing (Art. 6 (1) (a) GDPR), the processing is necessary for the initiation, establishment, content or amendment of a legal relationship between you and us (Art. 6 (1) (b) GDPR) or another legal norm permits the processing. Your personal data will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions – in particular retention periods under tax and commercial law – remain unaffected. You have the right at any time to receive information free of charge about the origin, recipient and purpose of your stored personal data. You also have the right to object, to data portability and the right to complain to the competent supervisory authority. Furthermore, you can request the correction, deletion and, under certain circumstances, the restriction of the processing of your personal data. For details, please refer to our privacy policy above. 

Request a demo

Learn how our platform can help you empower your team to continuously avert cyber threats and keep your organization secure. Schedule a demo and one of our experts will contact you soon.

The Forrester Wave™ Strong Performer 2024: Human Risk Management Solutions