Privacy Policy

Effective Date: August 15, 2025
Last Updated: December 31, 2025

Introduction

Trislaa ("we," "us," or "our") is committed to protecting your privacy and personal data. As a Finland-based cybersecurity consultancy building next-generation cyber resilience solutions, we understand the critical importance of data protection and privacy.

This Privacy Policy describes how we collect, use, disclose, and protect personal data in accordance with the EU General Data Protection Regulation (GDPR), Finnish data protection laws, and other applicable privacy regulations. This policy applies to our website, AI-powered cyber resilience products, consulting services, and all business operations.

1. Data Controller and Contact Information

Trislaa
Based in Finland (European Union)

Contact: contact@trislaa.com

For all privacy inquiries, data subject requests, or concerns regarding the processing of your personal information, please contact us at the email above.

2. Scope and Application

This Privacy Policy applies to:

• Visitors to our website (trislaa.com)
• Prospective and current clients
• Users of our AI-powered cyber resilience products and services
• Service providers, vendors, and business partners
• Event participants, webinar attendees, and newsletter subscribers
• Job applicants and contractors

3. Categories of Personal Data We Collect

3.1 Contact and Identity Information

• Name and professional title
• Email address and phone number
• Company name and business address
• Country and timezone information

3.2 Professional Information

• Job role and responsibilities
• Industry and company size
• Professional interests related to cybersecurity
• Information you provide in consultations and service requests

3.3 Technical and Usage Data

• IP address and device information
• Browser type and version
• Pages visited and navigation patterns (when analytics are implemented)
• Access times and session duration
• Referral sources

3.4 Security and Threat Data (AI Product Users)

For users of our cyber resilience AI products, we may process:

• Security logs and threat indicators
• Network and system metadata
• Vulnerability assessment data
• Incident response information
• Configuration and architecture data (anonymized where possible)

Note: We process this data solely to provide our AI-powered security services. We do not sell or share this data with third parties except as necessary to deliver our services or as required by law.

3.5 Communication Data

• Content of emails, inquiries, and support requests
• Feedback and survey responses
• Chat messages and consultation notes
• Event registration and participation information

4. How We Collect Personal Data

4.1 Direct Collection

• Information you provide through contact forms and service inquiries
• Data shared during consultations, meetings, and project engagements
• Registration for events, webinars, and newsletters
• Information provided in Statements of Work (SOWs) and Master Service Agreements (MSAs)
• Job applications and contractor onboarding

4.2 Automated Collection

• Basic web server logs (IP addresses, timestamps)
• Analytics tools (Google Analytics)
• Security monitoring and threat detection through our AI products

4.3 Third-Party Sources

• Professional networking platforms (LinkedIn)
• Public business directories
• Referrals from clients and partners

5. Legal Basis for Processing Personal Data (GDPR)

Under GDPR, we process personal data based on the following legal grounds:

5.1 Contract Performance (Art. 6(1)(b) GDPR)

To execute and deliver services requested by clients under SOWs, MSAs, or other service agreements, including our AI-powered cyber resilience solutions.

5.2 Legitimate Interests (Art. 6(1)(f) GDPR)

To operate our business, improve our services and products, conduct marketing activities, and protect our systems and clients' security, provided such interests do not override your fundamental rights.

5.3 Legal Obligations (Art. 6(1)(c) GDPR)

To comply with applicable laws, regulations, and legal processes (e.g., tax, accounting, anti-money laundering).

5.4 Consent (Art. 6(1)(a) GDPR)

For specific processing activities where required by law, such as marketing communications, newsletters, and non-essential cookies. You may withdraw consent at any time.

6. How We Use Personal Data

6.1 Service Delivery

• Providing cybersecurity consulting and advisory services
• Delivering AI-powered cyber resilience products and threat analysis
• Communicating with clients about projects and deliverables
• Managing contracts, invoicing, and payments
• Responding to inquiries and support requests

6.2 Product Development and Improvement

• Developing and enhancing our AI algorithms and threat detection capabilities
• Training machine learning models (using anonymized/aggregated data)
• Analyzing usage patterns to improve user experience
• Testing and validating security solutions

6.3 Business Operations

• Operating and securing our website and digital infrastructure
• Managing vendor and contractor relationships
• Conducting internal business analysis and planning
• Recruiting and onboarding team members

6.4 Marketing and Communications

• Sending newsletters and industry insights (with your consent)
• Promoting events, webinars, and product updates
• Sharing relevant cybersecurity content and thought leadership

6.5 Security and Compliance

• Protecting our systems and client data from security threats
• Detecting and preventing fraud and abuse
• Complying with legal obligations and responding to legal processes
• Enforcing our terms and policies

7. Cookies and Tracking Technologies

7.1 Current Use

Currently, we use minimal tracking on our website, limited to essential functionality and basic server logs.

7.2 Current Implementation

We plan to implement Google Analytics to better understand how visitors use our website and improve user experience. When implemented, we will:

• Request your consent before setting non-essential cookies
• Provide clear information about what cookies we use
• Allow you to manage your cookie preferences
• Use IP anonymization and privacy-focused configurations

7.3 Your Choices

You can control cookies through your browser settings. Disabling certain cookies may limit website functionality. You can learn more about cookies at www.allaboutcookies.org.

8. Data Sharing and Disclosure

We do not sell your personal data. We may share personal data with the following categories of recipients:

8.1 Service Providers and Processors

We work with trusted service providers to support our business operations:

• Cloud Infrastructure: AWS, Microsoft Azure, or Google Cloud (to be determined based on product deployment)
• Email Services: Professional email hosting providers
• Analytics: Google Analytics (when implemented)
• Payment Processing: Payment processors (when implemented for product sales)

All service providers are contractually required to protect your data and use it only for specified purposes.

8.2 Contractors and Team Members

Trusted contractors and team members who assist with service delivery, bound by confidentiality obligations.

8.3 Legal and Regulatory Authorities

Government agencies, regulators, and law enforcement when required by law or to protect our legal rights and the rights of our clients.

8.4 Business Transfers

In connection with any merger, acquisition, or sale of business assets, personal data may be transferred to successor entities, subject to continued compliance with this Privacy Policy.

9. International Data Transfers

Trislaa is based in Finland (European Union). As we serve clients in both the EU and United States, personal data may be transferred internationally.

9.1 Transfers Outside the EEA

When transferring personal data outside the European Economic Area (EEA), we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs): EU Commission-approved contracts with data processors and recipients
• Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
• Data Processing Agreements: Contractual protections with all service providers handling EU personal data

9.2 US Clients

For US-based clients, we comply with applicable US privacy laws including CCPA (California Consumer Privacy Act) where applicable. We maintain the same high standards of data protection regardless of client location.

10. Data Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements.

10.1 Retention Periods

• Client project data: Duration of engagement plus 7 years (for legal and accounting requirements)
• Marketing data: Until you unsubscribe or request deletion
• Website analytics: Up to 26 months in anonymized/aggregated form
• Security and threat data: As required for threat detection and analysis, typically 12-24 months
• Financial records: As required by Finnish law (typically 6-10 years)

After retention periods expire, we securely delete or anonymize personal data.

11. Data Security

As a cybersecurity-focused company, we take data security seriously and implement industry-standard technical and organizational measures to protect personal data:

11.1 Technical Measures

• Encryption of data in transit (TLS/SSL) and at rest
• Secure access controls and authentication
• Regular security updates and patch management
• Secure development practices for our AI products
• Network security and firewall protection
• Regular security assessments and monitoring

11.2 Organizational Measures

• Access controls based on need-to-know principles
• Confidentiality agreements with all team members and contractors
• Security awareness and training
• Incident response procedures
• Regular review and improvement of security practices

11.3 Growing Security Posture

As we scale, we are committed to pursuing formal security certifications including ISO 27001 and SOC 2. We currently align our practices with these frameworks and maintain documentation to support future certification.

12. Your Rights Under GDPR

As a Finland-based company subject to GDPR, we respect and facilitate your data protection rights:

12.1 Right of Access (Art. 15 GDPR)

Request confirmation of whether we process your personal data and obtain a copy of your data.

12.2 Right to Rectification (Art. 16 GDPR)

Request correction of inaccurate or incomplete personal data.

12.3 Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)

Request deletion of your personal data when it is no longer necessary, when you withdraw consent, or when you object to processing.

12.4 Right to Restriction of Processing (Art. 18 GDPR)

Request limitation of processing when you contest accuracy, object to processing, or need data preserved for legal claims.

12.5 Right to Data Portability (Art. 20 GDPR)

Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.

12.6 Right to Object (Art. 21 GDPR)

Object to processing based on legitimate interests, including direct marketing. We will cease processing unless we have compelling legitimate grounds.

12.7 Right to Withdraw Consent (Art. 7(3) GDPR)

Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.

12.8 Right to Lodge a Complaint

Lodge a complaint with the Finnish Data Protection Authority (Tietosuojavaltuutetun toimisto) or your local supervisory authority if you believe your rights have been violated.

How to Exercise Your Rights

To exercise any of these rights, please contact us at contact@trislaa.com. We will respond within 30 days as required by GDPR.

13. California Privacy Rights (CCPA/CPRA)

For California residents, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, and shared
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

To exercise these rights, contact us at contact@trislaa.com.

14. Children's Privacy

Our services are designed for businesses and professionals. We do not knowingly collect personal data from individuals under the age of 16 (or applicable age of digital consent in your jurisdiction). If we become aware that we have inadvertently collected such data, we will delete it promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy as our business evolves, new features are added, or regulations change. We will post the updated policy on our website with a revised "Last Updated" date.

For material changes, we will provide prominent notice on our website or via email to registered users. Your continued use of our services after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

For questions, concerns, or requests related to this Privacy Policy or our data protection practices:

Trislaa
Finland (European Union)
Email: contact@trislaa.com

Finnish Data Protection Authority:
Tietosuojavaltuutetun toimisto
Website: tietosuoja.fi/en