Privacy Policy and Data Processing Addendum
Plain summary. ZeroExfil is a security platform. To do its job we collect security telemetry from the endpoints you choose to install our agent on, plus a small amount of personal data about the people who sign in to manage it. We store this data on Microsoft Azure infrastructure that we control, primarily in Microsoft Azure West Europe (Netherlands). We keep operational data for 180 days, advanced hunting telemetry for 30 days, and we delete everything within 180 days of the end of your contract. We are based in Zurich, Switzerland and the contractual terms below apply whether you are in the EU/EEA, the UK, Switzerland, or the United States.
1. Who is responsible
This Privacy Policy is issued by Olsson Security, Baslerstrasse 77, 8048 Zurich, Switzerland. For privacy-related questions or to exercise your rights, contact contact@zeroexfil.com.
- For account information about portal users (the people who sign in to manage ZeroExfil), Olsson Security acts as a data controller.
- For endpoint security telemetry collected by your ZeroExfil agents, your organisation is the data controller and Olsson Security acts as a data processor on your behalf. The terms in section 9 ("Data Processing Addendum") govern that relationship.
2. What data we process
2.1 Account data (we are the controller)
- Email address, full name (as you provide it), and a salted bcrypt hash of your password.
- Tenant memberships, role, and join requests.
- Login timestamps, token version, and a per-session JWT used to keep you signed in for up to seven days.
- Optional Multi-Factor Authentication secret and one-time backup codes if you enable MFA.
- The version and timestamp of these Terms you accepted, and the IP address you accepted from. We keep this so we can demonstrate consent.
- The email verification code (stored only as a SHA-256 hash) and its expiry, until you verify or it expires.
2.2 Endpoint telemetry (you are the controller)
The ZeroExfil agent is deliberately minimal. On devices you install it on, it collects only the telemetry needed to detect malicious or suspicious activity:
- File operations relevant to detection rules (creation, modification, rename, deletion, and cryptographic hashes of files matched by a rule). This is the primary data source the agent streams.
- Network connection metadata (destination IP, port, protocol, and the process responsible) is collected only when needed for context — specifically, within a 30-minute window around an alert triggering on the same device. Outside that window, network telemetry is not retained.
- Device metadata (hostname, OS version, agent version, last seen) so you can identify the endpoint in the portal.
- Operator actions taken in response (isolate, release, kill process, run script) for audit purposes.
The agent does not continuously record process executions, command lines, module loads, registry activity, authentication events, document contents, browsing history, keystrokes, screenshots, microphone, or camera data. It does not access personal cloud accounts. Continuous network packet capture is not performed at any time.
2.3 Email delivery
Transactional emails (verification codes, alert notifications you opt in to) are sent through Azure Communication Services. The "to" address and message body are processed by Microsoft Azure for delivery. We do not send marketing email through the platform.
2.4 Server logs
Our backend records standard request logs (IP address, request path, response code, timestamp, user agent) for security monitoring and abuse prevention. These logs are retained for up to 90 days and are not used for advertising.
3. Why we process it (purposes and legal basis)
| Purpose | Legal basis (EU/UK/CH GDPR) |
|---|---|
| Provide the Service to you and your tenant | Performance of a contract (Art. 6(1)(b)) |
| Verify your email address and authenticate sign-in | Performance of a contract; legitimate interest in account security (Art. 6(1)(f)) |
| Detect and respond to threats on devices you monitor | Processed on behalf of your organisation as controller |
| Rate limiting, abuse prevention, server security logs | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations and defend claims | Legal obligation (Art. 6(1)(c)); legitimate interest |
| Demonstrate that you accepted these Terms | Legal obligation; legitimate interest in compliance |
4. Where data is stored and who can access it
All Customer Data and account data is stored on Microsoft Azure infrastructure operated by Olsson Security. The primary processing region is Microsoft Azure West Europe (Netherlands). Some Microsoft sub-services (for example, global Azure identity and Azure Communication Services routing) may transit other Microsoft regions to deliver the Service.
Inside Olsson Security, access to production data is limited to engineers who need it to operate, secure, or support the Service. Access is gated by Multi-Factor Authentication and is logged.
5. Sub-processors
The following sub-processors process Customer Data on our behalf. We will give reasonable notice before adding or replacing a sub-processor.
| Sub-processor | Purpose | Location |
|---|---|---|
| Microsoft Azure (Cosmos DB, App Service, Storage) | Database, application hosting, file storage | Microsoft Azure West Europe (Netherlands) |
| Microsoft Azure Communication Services | Transactional email delivery | Microsoft Azure (multi-region) |
| Microsoft Azure Functions | Scheduled detection processing | Microsoft Azure West Europe (Netherlands) |
6. International transfers
Olsson Security is established in Switzerland, which the European Commission recognises as providing an adequate level of data protection. For transfers from the EEA, the UK, or Switzerland to any sub-processor outside an adequacy region, we rely on the European Commission's Standard Contractual Clauses (Module 2 or Module 3 as applicable), the UK Addendum, and the Swiss FDPIC supplemental clauses, together with technical safeguards (encryption in transit, encryption at rest, access controls). Microsoft is contractually bound to the EU Standard Contractual Clauses through the Microsoft Online Services Data Protection Addendum.
If you are in the United States, the same safeguards apply to your data when it is processed in our European region.
7. Retention
- Operational data (alerts, investigations, devices, response actions, configuration, rule state, audit trail visible in the portal): 180 days rolling.
- Advanced hunting telemetry (queryable in the investigation experience): 30 days from ingestion.
- During grace period or suspended-mode licensing: data remains available to you under the standard windows above.
- After contract termination or expiration: all Customer Data is permanently and irrecoverably erased no later than 180 days from the termination or expiration date.
- Account records (email, role, audit logs of security-relevant administrative actions): retained while your account exists, then erased within 90 days, except where a longer period is required by law or to defend legal claims.
- Email verification code: hashed value deleted on successful verification or 15 minutes after issue, whichever is sooner.
- Server request logs: up to 90 days.
8. Your rights
Depending on where you live, you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Request deletion of your account and the personal data tied to it.
- Object to or restrict certain processing.
- Receive a copy of your account data in a portable format.
- Withdraw any consent you have given (without affecting prior lawful processing).
- Lodge a complaint with your data protection authority. In Switzerland this is the Federal Data Protection and Information Commissioner (FDPIC). In the EU/EEA it is your national supervisory authority.
For requests about endpoint telemetry, contact your tenant administrator first; that data is held on your organisation's behalf. For requests about account data we hold as controller, email contact@zeroexfil.com. We will respond within 30 days.
California residents: we do not "sell" or "share" personal information as defined by the CCPA/CPRA. The categories of personal information we process are listed in section 2; the purposes and retention periods are listed in sections 3 and 7. You may exercise CCPA rights by contacting contact@zeroexfil.com.
9. Data Processing Addendum
This section forms a Data Processing Addendum ("DPA") between you (or your organisation, the "Controller") and Olsson Security (the "Processor") for endpoint telemetry processed by the Service. By accepting the Terms, you and Olsson Security accept this DPA.
9.1 Subject matter and duration
The Processor processes Customer Data on behalf of the Controller solely to provide the Service described in the Terms, for as long as the contract is in force and for the retention periods in section 7 above.
9.2 Nature, purpose, and types of data
Nature and purpose: detection, investigation, and response to malicious or suspicious activity on Controller's endpoints. Categories of data subjects: Controller's employees, contractors, and other authorised users of monitored endpoints. Categories of personal data: device identifiers, usernames associated with file operations, file metadata and hashes, network connection metadata limited to a 30-minute window around an alert, and operator actions, as described in section 2.2.
9.3 Processor obligations
- Process Customer Data only on documented instructions from the Controller, including the Terms and the configuration the Controller chooses in the portal.
- Ensure that personnel authorised to access Customer Data are bound by confidentiality.
- Implement the technical and organisational measures listed in section 11.
- Engage sub-processors only as listed in section 5; the Controller authorises these sub-processors and any future sub-processors notified in advance.
- Assist the Controller in responding to data subject requests and in meeting obligations under Articles 32 to 36 GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to the Processor.
- Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Customer Data.
- At the Controller's choice, delete or return Customer Data at the end of the contract, subject to the retention rules in section 7.
- Make available to the Controller information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by it, on reasonable notice and at the Controller's expense, subject to confidentiality.
9.4 International transfers
Where required, the parties agree that Module 2 (controller to processor) or Module 3 (processor to processor) of the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, and the Swiss FDPIC supplemental terms are incorporated by reference into this DPA and apply to transfers of Customer Data outside the EEA, UK, or Switzerland.
10. Security measures
- TLS encryption for all data in transit between agent, portal, and backend.
- Encryption at rest provided by Microsoft Azure for Cosmos DB, App Service, and Storage.
- Tenant isolation enforced at the application layer (every Customer Data record is partitioned by tenant ID and authorised access requires a valid session for that tenant).
- Bcrypt-hashed passwords, optional Time-based One-Time Password (TOTP) MFA, and per-account JWT token versioning so the user can sign out everywhere.
- Rate limiting on authentication, registration, and verification endpoints.
- Email verification required before sign-in.
- Audit logging of security-relevant administrative actions.
- Least-privilege access to production for Olsson Security personnel, gated by MFA.
11. Children
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided data to the Service, contact us and we will delete it.
12. Cookies on the portal
The portal at security.zeroexfil.com sets one essential cookie, zex_token, after sign-in. It is HttpOnly, Secure, SameSite=Strict, and expires after seven days. We do not use advertising or tracking cookies on the portal. The marketing site at www.zeroexfil.com does not set tracking cookies and does not use third-party analytics.
13. Changes
We may update this Privacy Policy and DPA from time to time. The version and effective date are shown at the top of this page. If a change materially affects your rights, we will give reasonable notice (for example, by email or via the portal) before it takes effect.
14. Contact
Olsson Security
Baslerstrasse 77
8048 Zurich, Switzerland
contact@zeroexfil.com