We appreciate your visit to our website. Protecting your privacy is very important to us and we want you to feel safe on our website.
The aforementioned personal data is information that relates to an identified or identifiable natural person (hereinafter “data subject“). This includes in particular your name and e-mail address, but also data about your use of our website (e.g. your IP address), information in your CV, etc..
Below, we inform you about the nature, scope and purpose of the personal data we process and inform you about your rights as a data subject.
1. name and address of the data controller
The responsible party within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is:
Managing Directors: Dr. Niklas Hellemann, Lukas Schaefer, Felix Schürholz
Phone: +49 221 6508 3800
2. name and address of the data protection officer
The data protection officer of the controller is
Mr. Sebastian Herting
Herting Oberbeck Datenschutz GmbH
Landline: +49 40 228 69 11 40
3. type of personal data, purposes of processing, legal basis (in the case of processing controlled by us via the website and outside the website).
a. Website visit for informational purposes
If you visit our website for informational purposes only, without actively providing personal data yourself, we only store access data in so-called server log files. This includes
- the name of the requested file,
- Date and time of retrieval,
- volume of data transferred,
- browser used,
- operating system used,
- IP address,
- requested URL,
- Referrer URL (URL you visited immediately before) and
- the requesting provider.
The legal basis for the processing of this personal data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is to enable you to access our website.
The personal data listed are automatically collected by our IT systems when you visit our website. Without processing the personal data (in particular the IP address) for the duration of the session, the website may not be able to be displayed or only to a limited extent.
On our website we provide information that enables a quick electronic contact to us as well as an immediate communication with us. This includes in particular our contact forms. If you contact us by email or contact form, the personal data you provide will be stored automatically.
In addition, we also provide contact options via a contact field and message (via the social media presence) on various social media presences, as listed in more detail in section 5.
In doing so, we generally process the following personal data from you:
- First and last name,
- Email address,
- Phone number and
- personal data contained in the individual cover letter.
We use the personal data you provide exclusively for processing your specific inquiry. Your information may be stored in a customer relationship management system (so-called CRM system) or another organizational tool for customer data.
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case when the respective conversation with you has ended or a concluded contract is terminated and the data is no longer required.
The legal basis depends in this respect on the information that you provide to us when contacting us in the course of sending an email, the contact form or a message. If the contact is aimed at the conclusion of a contract, the legal basis for the processing is Art. 6 para. 1 lit. b GDPR. If contact is made for other purposes, the legal basis is Art. 6 para. 1 lit. f GDPR.
c. Job application
The processing of certain personal data is also unavoidable to be able to carry out an application procedure. We process the following personal data in connection with a job application, which can be made via the applicant portal , via a social media presence, by e-mail or by post, until a decision is made on your application:
Personal information includes in particular
- private contact data (e-mail addresses, telephone numbers, postal address),
- Date and place of birth,
- Marital status,
- Number of children,
- Driving license information and
- Disability Status.
Specialized information also includes
- Letter of Recommendation,
- Cover letter,
- Work Authorization Ticket,
- Previous employments,
- Training History,
- Languages spoken,
- Skills relevant to the job, as well as
- Testimonials and the like.
The aforementioned personal data are required for the selection of suitable employees, the notification of the decision on an application, the coordination of the application process (e.g. personal interview) and for the establishment of an employment relationship.
The legal basis for this processing of personal data is Section 26 (1) sentence 1 BDSG.
We collect the aforementioned personal data directly from you as an applicant during the application and recruitment process. If your application is unsuccessful, we will store this personal data for three months after informing you of this decision.
d. Data collection and use for contract processing
In order to initiate or execute the contractual relationship with you, the processing of certain personal data is unavoidable. In connection with the execution of the contract, including any registration within the scope of our awareness building services, we process the following personal data in particular
- Company name,
- Business address,
- E-mail address,
- Phone number and
- documents or texts submitted by you that contain personal data
and all data necessary for the processing of payments and for the prevention of fraud, in particular
- Credit card or debit card numbers,
- any security codes and
- other billing information.
Insofar as we use this personal data (i) to coordinate the planning, execution, control and administration of your contractual relationship with us, (ii) to provide you with information about your registration or how to make changes in our system or (iii) to carry out payment transactions, the legal basis for these processing operations is Art. 6 (1) lit. b GDPR.
If, on the other hand, the personal data is used for the settlement of disputes, the enforcement of the contractual agreement and the establishment, exercise or defense of legal claims, the legal basis for this processing is Art. 6 para. 1 lit. b or f GDPR, depending on the claims.
If you have submitted your data for the purpose of initiating a contractual relationship, we may pass it on to our sales partners if they are suitable for your segment. The legal basis for this processing is Art. 6 para. 1 lit. f GDPR
We collect personal data in connection with the performance of the contract directly from you by you providing the personal data yourself when ordering/registering, whether via the self-service portal at https://app.sosafe.de/ or by other means.
After complete processing of the contract, your data will be blocked for further use and deleted after expiry of the statutory retention periods, unless you have expressly consented to further use of your data or we reserve the right to use data beyond this, which is permitted by law and about which we inform you below.
Furthermore, we process your personal data when you register for our newsletter.
To register, you must provide us with your email address. You can voluntarily provide us with additional information, such as your name. The registration takes place via a double opt-in process. After registration, you will receive an email from us in which you must confirm the registration. This entire process is documented and stored. This includes both the storage of the registration and the confirmation time, as well as your IP address.
The legal basis for the processing of personal data in connection with the sending of the newsletter is Art. 6 para. 1 lit. a GDPR.
You can revoke your consent to the processing of your personal data in connection with the sending of the newsletter at any time by cancelling the newsletter. For this purpose, please use the provided link at the end of the newsletter to cancel. The legality of the data processing operations already carried out remains unaffected by the revocation.
f. Demo mail dispatch
Personal data is also processed when you sign up for a demo mailing to test the suitability of our services for your business.
For sending the demo mails as part of our demo (at demo.sosafe.de), but not for our phishing simulations as part of a commission, we use the services of SendGrid, Inc, 1801 California Street, Suite 500, Denver, CO 80202, USA. Cookies and web beacons (tracking pixels) are used within the emails sent by SendGrid when performing the demo mailing. With the help of SendGrid, we analyze the sending of the demo emails. The analysis is used exclusively for the statistical analysis of the messages as well as for the preparation of the evaluation of the demo mail dispatch. The personal data is transferred to the SendGrid server in the USA. Government agencies in the USA may also have access to this personal data. We have concluded the standard contractual clauses adopted by the European Commission with SendGrid in order to ensure the level of data protection of the GDPR in the USA as well.
For demo mailings we process the following registration data
- E-mail address.
As well as the following analysis data
- a message was opened,
- which links, if any, were clicked on and
- Time of retrieval, IP address, browser type and operating system.
The data processing is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR.
You can revoke your consent to the processing of your personal data in connection with the demo mailings at any time by cancelling the demo mailings (by email to firstname.lastname@example.org). The legality of the data processing operations already carried out remains unaffected by the revocation.
Without the corresponding processing of the personal data, the demo mail dispatch may not be provided or may only be provided to a limited extent.
g. Feedback surveys
In addition, personal data is processed when users (employees of our customers) provide personal data in the feedback surveys included in our awareness building services.
On the educational pages associated with our simulated phishing e-mails (links start in each case with https://learning.sosafe.de/…) as well as within the eLearning platform (at https://elearning.sosafe.de), we offer you (as a user) the opportunity to leave us feedback, praise or criticism. The rating you enter (on a scale of 1-5) as well as the optional free text will be made available to your employer, on the one hand, to give him an overview of the feedback from the workforce on the IT security training offered and, on the other hand, will be used by us to improve our services. Therefore, if you provide identification features in the free text or leave your e-mail address for queries regarding your feedback (not reported to employer), this personal data will be processed by us for the aforementioned purpose.
In addition, an evaluation score and comment can also be submitted per eLearning module. These ratings are stored together with your eLearning account on a personal basis.
In addition, we may add links to feedback forms in connection with our Phishing Report Button. These feedback forms are provided by Microsoft, our sub processor, on servers in the EU. Data will be only transmitted if you add and submit data in these forms. We solely use such data for the purposes mentioned in the respective feedback form.
The legal basis for the processing of this personal data by us is Art. 6 para. 1 lit. a GDPR.
h. Interviews for product research and development
Users of our Awareness Building Services may voluntarily participate in interviews. We use the data collected during interviews for internal purposes to further improve our products and services. We may aggregate the results grouped with other participants’ responses to share interview results SoSafe internally. Video recordings and/or transcriptions are only made if you have consented to them. We delete video recordings after 12 months and all other personal interview data after two (2) years.
The legal basis for storing data in the context of videos is your consent pursuant to Art. 6 (1) lit. a GDPR.
i. Google Ads Lead Form Extensions
We use the Google Ads lead form extension service to give you the opportunity to contact us directly via our ads placed on Google Ads. If you provide personal data, this will be stored by Google for 30 days.
The legal basis here is primarily your consent pursuant to Art. 6 (1) lit. a GDPR. If your contact is aimed at concluding a contract, the legal basis for the processing is Art. 6 (1) lit. b GDPR.
In order to make visiting our website more attractive and to enable the use of certain functions, we use so-called “cookies” on our website. These are small text files that are stored on your terminal device.
Cookies allow us, for example, to track and determine your preferences and to identify you individually during a visit to our website. After the end of the browser session, most of the cookies we use are deleted again (“session cookies”). The permanent cookies (“persistent cookies”), on the other hand, remain on your terminal device and thus enable us, for example, to recognize you on your next visit or to analyze your usage behavior. You can revoke your consent at any time with effect for the future here:Cookie Preferences
a. Use of necessary cookies
The purpose of using technically necessary cookies is to simplify the use of our websites for you. Some functions of our website cannot be offered without the use of these cookies. For these, it is partly necessary that your browser is recognized even after a page change. In case of non-acceptance or deactivation of cookies, the functionality of our website may be limited.
In these purposes also lies our legitimate interest in the processing of personal data for this purpose according to Art. 6 para. 1 lit. f GDPR.
In this section, we inform you which services of technology partners we use for reach measurement and online marketing purposes. Insofar as no anonymous or anonymized data is processed or we do not obtain your prior consent in the context of the use of cookie management (Art. 6(1)(a), Art. 7 GDPR), their use is based on our legitimate interest (Art. 6(1)(f) GDPR) in increasing user-friendliness and for the optimization and more targeted control of our offer.
Insofar as you have given your consent to the processing, you can revoke this at any time via the settings in our cookie management. If processing is based on our legitimate interest, you generally have the option to object (opt-out). If no explicit opt-out option of the respective service provider used by us has been specified below, it is possible for you to disable cookies in the settings of your browser. However, this may restrict functions of our online offer. Alternatively or additionally, you can also use the following general opt-out options: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) Cross-territory: https://optout.aboutads.info.
In all cases, the categories of data processed include usage data and metadata. Reach measurement and online marketing are carried out in particular on the basis of cookie and web beacon technology. Special categories of data are not processed in this context.
Unless otherwise stated, the deletion of data is determined in accordance with the privacy statements of the technology partners.
Google Tag Manager
Google Tag Manager is a solution that allows us to manage so-called website tags via an interface (and thus, for example, integrate Matomo and other marketing services into our online offering). The Tag Manager itself (which implements the tags) does not process any user data. With regard to the processing of users’ data, please refer to the following information on Google services.
On this website, we use Matomo for the purposes of traffic analysis, session recording, measuring form/media interactions and A/B tests. For this, we process the following data: Date and time, title of the page being viewed, URL of the page being viewed, URL of the page that was viewed prior to the current page, screen resolution, time in local timezone, files that were clicked and downloaded, link clicks to an outside domain, pages generation time, country, region, city, main language of the browser, user agent of the browser. This data is only processed by us for internal analysis of our website and not shared with any third parties.
We use Google Ads to place ads on the websites of Google, Google partners and in the display network and to measure their success (conversion measurement). In doing so, we only receive an anonymous overall evaluation, but not information related to individual users. You have the option to use the following opt-out option of the service provider: https://adssettings.google.com/.
Facebook Pixels (Facebook Custom Audiences)
The Facebook pixel is a solution for displaying interest-based advertisements to users of our website when they visit the Facebook social network or other websites that also use the method.
Service provider: Facebook Inc, 1601 S California Ave, Palo Alto, California 94304, USA; https://www.facebook.com/policy.php; further information. for data collection: https://www.facebook.com/help/186325668085084 , https://www.facebook.com/about/privacy/your-info-on-other#applications and https://www.facebook.com/about/privacy/your-info#everyoneinfo.
We use the remarketing function of Twitter Inc. (“Twitter”) on our website. With the Twitter remarketing function, we can address you with advertising based on your interests on the Twitter platform. For this purpose, Twitter uses so-called “tags”. Via this tag, visits to our website as well as data on usage are recorded in pseudonymous, non-personal form. If you subsequently visit Twitter, you will be shown advertisements based on your interests.
Service provider: Twitter International Company, One Cumberland Place, Fenian Street, D02 AX07 Dublin 2, Ireland. More information: https://support.twitter.com/articles/20171528, https://business.twitter.com/de/help/troubleshooting/how-twitter-ads-work.html.
We use HubSpot as an integrated marketing solution to unify our email marketing, social media publishing & reporting, reporting, contact management, and contact forms.
Service Provider: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland More. Information: https://legal.hubspot.com/privacy-policy, https://knowledge.hubspot.com/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser, https://knowledge.hubspot.com/account/hubspot-cookie-security-and-privacy.
Microsoft Advertising / Bing
We use Microsoft Advertising / Bing to display interest-based advertisements to users of our website when they visit websites that are part of the Microsoft advertising network.
Service Provider: Microsoft Corporation, One Microsoft Way, Redmond, Washington, USA.
More information: https://about.ads.microsoft.com/en-us/resources/policies/microsoft-advertising-privacy-policy
Service Provider: Wonderkind Global B.V., H.J.E. Wenckebachweg 123, 1096 AM Amsterdam.
More information: https://wonderkind.com/privacy-statement-technology.
5. social media
In addition to this website, we also maintain presences on various social media providers (see the social media providers listed under 5. b.) in order to communicate with the customers, interested parties and applicants active there and to be able to inform them about our services and open job positions.
a. Icons on our website
In this context, only simple links are used on this website https://sosafe-awareness.com/de/ for the icons, which do not establish a connection to the respective social media presence when the website is loaded. This distinguishes the social media links used here from the widespread “like” buttons, which already transmit data to the social media providers when the website is loaded, without the button having to be clicked.
b. Processing of your data when visiting the website of the social media providers
Insofar as you visit such a social media presence of ours by clicking on the link or directly, your personal data will only be processed by us there to the extent determined under 3. b. and c. above.
In addition, however, your personal data will also be transmitted to the provider of the social media platform on the website of the social media provider. It is possible that in addition to the storage of the data specifically entered by you on this social media platform, further information is also collected, processed or used by the social media provider. If you are logged in with your personal user account of the respective network while visiting such a social media platform, the social media platform can assign the visit to your account. If you do not wish such an assignment, you must log out of your account and delete the cookies before visiting our social media presence.
Facebook is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Twitter is operated by Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.
LinkedIn is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland.
Xing is operated by New Work SE, Dammtorstraße 29-32, 20354 Hamburg, Germany.
c. Offline conversions tracking
We are sending data regarding leads that turn into opportunities and customers to LinkedIn. This helps us measure results and optimise ad campaigns outside of our website (on LinkedIn website). In order to achieve this, we upload offline conversions to the Campaign Manager provided by LinkedIn, we create an offline conversion event and then we link the offline conversions to specific campaigns. In this context, in addition to the data specified in sec. 3b above, the following personal data is processed: title, country and lifecycle stage data. Email addresses are hashed using SHA256. Offline conversion data that we upload is stored in LinkedIn’s servers in the United States.
The legal basis for the processing of this personal data is Art. 6 para. 1 lit. f GDPR. Our legitimate interest is ad relevance optimisation and aggregate reporting on ad conversions.
Offline conversion data will be retained for 180 days, then it will be automatically deleted. The only data that persists is the aggregate conversion reporting in the Campaign Manager.
LinkedIn is operated by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland.
6. integrated contents and services of third parties
We partly integrate third-party content on our website, such as YouTube and Vimeo videos, maps from Google Maps or graphics from other websites.
This content is integrated in “extended data protection mode”, which means that no data about you as a user is transmitted if you do not play or click on the content. Only if you agree to the data transmission and play or click on the content, the data mentioned in the next paragraph will be transmitted. We have no influence on this data transmission. The legal basis for the processing of data after your consent is Art. 6 para. 1 lit. a GDPR.
a. Third party graphics
b. Videos: Wistia
We have integrated the media player from Wistia (Wistia, Inc., 17 Tudor Street, Cambridge, MA 02139, USA) on our website to integrate external video content. In doing so, we use the privacy mode. This means that no personal data is collected without your explicit consent – not even when playing the video. In privacy mode, only anonymized IP addresses and data for viewing a video is collected.
If you allow individual tracking by Wistia when watching the video by allowing this in the cookie banner, Wistia collects the IP address and can thus assign the viewing of a video to a visitor.
Find more privacy information about the video player function in Wistia’s privacy mode at: https://wistia.com/support/developers/player-privacy-mode and about data processing in general at: https://wistia.com/privacy.
c. Google Maps
You can terminate this consent at any time by clicking the following button. The legality of the data processing operations already carried out remains unaffected by the revocation.
With reCAPTCHA (provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). it should be checked whether the data input on our websites (e.g. in the demo form) is done by a human or by an automated program. For this purpose, reCAPTCHA analyzes the behavior of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g. IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.
The data processing is based on Art. 6 para. 1 lit. f GDPR. We have a legitimate interest in protecting our web offers from abusive automated queries.
7. data deletion and storage period
Unless otherwise specified in the individual sections, the stored personal data will be deleted if you revoke your consent to storage or if knowledge of this data is no longer required to fulfill the purpose for which it was stored. Furthermore, storage may take place if this has been provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject.
We regularly check whether the purpose for which the data was stored is still valid and delete your data immediately if this is no longer the case. However, with regard to the relevant data, the deletion will only take place after the expiry of the deadlines of the tax and commercial law regulations.
8. disclosure of personal data and recipients
We will not disclose personal data without your express consent, unless there is a legal reason for permission, e.g. if we are legally obliged to disclose data (information to law enforcement agencies and courts; information to public bodies that receive data based on legal regulations, e.g. social insurance agencies, tax authorities, etc.) or if we involve third parties bound to professional secrecy to enforce our claims. We share your personal data with the following recipients:
- We use processors to process personal data for the above-mentioned purposes, who process the personal data on our behalf. We always retain control over the respective personal data and remain the data controller.
- For payment processing in the course of orders, we transmit payment details to banks and payment service providers if required by the payment method.
- We transmit personal data in individual cases to courts, law enforcement agencies, supervisory authorities, other authorities, tax advisors and lawyers, insofar as this is legally permissible and necessary.
9. automated decision making
We will not use your personal data to make automated decisions (including profiling) concerning you that have legal effect on you or similarly significantly affect you.
10. your rights
You have the following rights.
a. Right to information
Pursuant to Art. 15 GDPR, you have the right to request information about your personal data stored by us free of charge. This also allows you to obtain a copy of the personal data we process about you and to verify whether we are processing it in a lawful manner.
b. Right to rectification
In the event of incorrect data, you have the right to rectification in accordance with Art. 16 GDPR. We are obliged to make the correction without delay.
c. Right to restriction of processing
You have the right under Article 18 of the GDPR to request that we restrict processing. This allows you to request the suspension of the processing of your personal information, for example, if you want us to determine its accuracy or the basis for processing.
d. Right to deletion
Pursuant to Art. 17 GDPR, you have the right to demand that we delete the personal data concerning you without undue delay if the data is no longer required for the purposes for which it was collected or, if the processing is based on your consent, you have revoked your consent. In this case, we must stop processing your personal data and remove it from our IT systems and databases. A right to deletion does not exist insofar as
- the personal data may not be deleted due to a legal obligation or must be processed due to a legal obligation; or
- the data processing is necessary for the assertion, exercise or defense of legal claims.
e. Right to data portability
Pursuant to Art. 20 GDPR, you have the right under certain circumstances to have the personal data concerning you, which you have provided to us, transferred to another controller in a structured, common and machine-readable format.
f. Right of objection
You have the right to object to the processing of your personal data insofar as the processing is based on our legitimate interests (or those of a third party) and there are grounds arising from your particular situation on the basis of which you wish to object to the processing on said basis. In particular, you have the right to object if we process your data for direct marketing purposes.
g. Right to revoke consent under data protection law
You have the right to revoke your consent to the processing of personal data at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
h. Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, workplace or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
If you have any questions about the collection, processing or use of your personal data, for information, correction, blocking or deletion of data or general questions and suggestions on the subject of data protection, please contact us directly:
The appointed data protection officer is: Mr. Sebastian Herting, External Data Protection Officer, can be reached at dpo(at)sosafe.de.
Managing Directors: Dr. Niklas Hellemann, Lukas Schaefer, Felix Schürholz
Commercial register: HRB96220, Cologne Local Court
Status: January 2023
Mandatory information according to Article 13 GDPR
In the event of initial contact, we are obliged pursuant to Art. 12, 13 GDPR to provide you with the following mandatory data protection information:
If you contact us by e-mail, we will only process your personal data if there is a legitimate interest in the processing (Art. 6 (