Privacy Policy

This summary provides a quick overview of our Privacy Policy. For complete details, please read the full policy below.

Who we are: Enigma Labs Technology Limited (operating as Enigma Cyber) is a cybersecurity company providing B2B cybersecurity audit, penetration testing, and incident response services. We are registered in the Dubai International Financial Centre (DIFC) under DIFC License No. CL13349.

What data we collect: We collect business contact information, account details, security logs, network metadata, and data necessary to provide our cybersecurity services. We do not direct our services to consumers or children.

Why we collect it: We use your data to provide our services, maintain security, comply with legal obligations, and improve our platform.

Your rights: Under the DIFC Data Protection Law (DIFC Law No. 5 of 2020, as amended), you have rights to access, rectify, and erase your data, to object to certain processing, and to lodge a complaint with the Commissioner of Data Protection. Where we use autonomous or semi-autonomous systems, you have additional rights to challenge outcomes. You can exercise these rights by contacting us.

Data transfers: We transfer personal data outside the DIFC only to jurisdictions on the Commissioner's adequacy list or under DIFC Commissioner-approved standard contractual clauses or another lawful transfer mechanism under the DIFC Data Protection Law.

How to contact us: For privacy questions, email privacy@enigmacyber.com. For data protection matters, contact our Data Protection Officer at dpo@enigmacyber.com.

1.1 Who We Are

Enigma Labs Technology Limited, operating as Enigma Cyber ("Enigma Labs," "Enigma Cyber," "we," "us," "our," or the "Company"), is a company incorporated and registered in the Dubai International Financial Centre (DIFC), a financial free zone with its own civil and commercial law system. We provide B2B cybersecurity solutions, including cybersecurity audits, penetration testing, incident response, and managed security services.

Company Details:

• Legal Name: Enigma Labs Technology Limited
• Trading Name: Enigma Cyber
• Registered Address: IH-00-01-01-OF-01, Level 1, Innovation One, Dubai International Financial Centre, Dubai, United Arab Emirates
• DIFC License Number: CL13349
• Website: https://enigmacyber.com
• Privacy Contact: privacy@enigmacyber.com

1.2 Scope of This Policy

This Privacy Policy explains how we collect, use, store, and protect personal data when you:

• Visit our website at https://enigmacyber.com
• Use our cybersecurity platform and services
• Communicate with us regarding our services
• Enter into a contractual relationship with us

This policy applies to all personal data we process as a Controller under the DIFC Data Protection Law. For personal data we process on behalf of our enterprise customers (for example, in the course of penetration testing, managed monitoring, or incident response), we act as a Processor and our customer is the Controller; that processing is described in Section 14 and is governed by the Data Processing Agreement we enter into with the relevant customer.

1.3 Regulatory Framework

This Privacy Policy is designed to comply with:

• The DIFC Data Protection Law, DIFC Law No. 5 of 2020, as amended by DIFC Law No. 2 of 2022 (the "DP Law");
• The DIFC Data Protection Regulations (consolidated 1 September 2023) (the "Regulations"); and
• Directions, guidance and the adequacy list issued by the Commissioner of Data Protection at the Dubai International Financial Centre (the "Commissioner").

The federal United Arab Emirates Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) does not apply to processing carried out within the DIFC; the DP Law applies in its place.

We collect different categories of personal data depending on our relationship with you and the services you use.

2.1 Information You Provide Directly

Account and Contact Information:

• Full name and job title
• Business email address and phone number
• Company name and department
• Billing address and payment information
• Account credentials (username, encrypted password)

Communications Data:

• Email correspondence and support tickets
• Meeting notes and call recordings (with consent)
• Feedback and survey responses
• Information provided during sales inquiries

Contractual Information:

• Signed agreements and order forms
• Purchase order numbers and invoicing details
• Authorized user lists and access permissions

2.2 Information Collected Automatically

Technical and Usage Data:

• IP addresses and device identifiers
• Browser type, version, and language
• Operating system and platform
• Referral source and exit pages
• Pages viewed and features accessed
• Date, time, and duration of visits
• Error logs and system performance data

Security and Network Data: When you use our cybersecurity platform, we process:

• Network traffic metadata (packet headers, connection logs)
• Security event logs and alerts
• Authentication and access logs
• Threat intelligence indicators
• Vulnerability scan results
• System configuration data

Our security assessments are designed to analyse security posture and metadata rather than message content. Where personal data is incidentally encountered in the course of threat detection, we apply access controls, minimisation and the deletion procedures described in Section 8.

2.3 Information from Third Parties

We may receive personal data from:

• Business partners and resellers
• Public business directories and professional networks (for example, LinkedIn)
• Credit reference providers (for customer due diligence)
• Regulatory and law-enforcement authorities (when legally required)

2.4 Special Categories of Personal Data

We do not intentionally collect Special Categories of Personal Data within the meaning of the DP Law (such as data revealing racial or ethnic origin, political opinions, religious beliefs, trade-union membership, genetic or biometric data, data concerning health, or data concerning a natural person's sex life or sexual orientation). If such data is incidentally encountered through security monitoring, we apply heightened access controls, minimisation and deletion procedures, and we do not rely on it for any decision affecting the data subject.

We process personal data for the purposes set out below. The lawful processing condition under the DP Law on which we rely for each purpose is described in Section 4.

3.1 Service Provision and Contract Performance

Purpose: To deliver our cybersecurity services, maintain your account, and fulfil our contractual obligations.

Activities:

• Provisioning and configuring the platform
• Authenticating users and managing access
• Conducting security assessments and incident response
• Generating security reports and alerts
• Providing customer support and technical assistance
• Processing payments and invoices

Lawful basis (DP Law): Processing necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.

3.2 Legal and Regulatory Compliance

Purpose: To comply with applicable laws, regulations, and legal obligations to which we are subject in the DIFC and the United Arab Emirates.

Activities:

• Maintaining financial and accounting records
• Responding to legal requests and court orders
• Cooperating with regulatory investigations (including those of the Commissioner)
• Filing required reports with authorities
• Complying with cybersecurity, anti-money-laundering and data-protection obligations
• Preventing fraud and unlawful activity

Lawful basis (DP Law): Processing necessary for compliance with a legal obligation to which the Controller is subject.

3.3 Legitimate Interests

Purpose: To operate, secure, and improve our business and services.

Activities:

• Ensuring network and information security
• Preventing unauthorised access and cyberattacks
• Monitoring service performance and reliability
• Conducting analytics to improve our platform
• Developing new features and capabilities
• Managing business operations and internal reporting
• Establishing, exercising or defending legal claims
• Preventing fraud and abuse

Lawful basis (DP Law): Processing necessary for the legitimate interests pursued by the Controller or by a third party, except where those interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Legitimate Interests Assessment. Our legitimate interests include maintaining a secure and reliable cybersecurity platform, improving our services to better protect our customers, and operating a sustainable business. We carry out balancing assessments to confirm that these interests do not unjustifiably override your rights. You have the right to object to processing based on legitimate interests (see Section 9).

3.4 Marketing and Business Development (Consent)

Purpose: To communicate about our products, services, and industry developments.

Activities:

• Sending newsletters and product updates
• Inviting you to events and webinars
• Sharing thought leadership and security insights
• Conducting market research

Lawful basis (DP Law): Your consent, given by a clear affirmative act that shows an unambiguous indication of freely given consent for specific, distinguishable purposes. You may withdraw consent at any time, without affecting the lawfulness of processing before withdrawal, by clicking "unsubscribe" in our emails, by changing your preferences in your account, or by contacting privacy@enigmacyber.com.

3.5 Vital Interests and Public Interest

In rare circumstances, we may process personal data to protect a person's vital interests (for example, preventing imminent harm) or in performance of a task carried out in the public interest related to cybersecurity threat sharing.

The DP Law requires us to identify a lawful processing condition for every processing activity. We rely on the following conditions, set out in Article 10 of the DP Law (and Article 11 where Special Categories are processed):

4.1 Consent

We obtain consent, by a clear affirmative act and on the basis of plain-language information, for:

• Marketing communications (Section 3.4);
• Non-essential cookies and similar tracking technologies (Section 11);
• Processing of Special Categories of Personal Data where applicable (Article 11 of the DP Law).

Pre-ticked boxes, silence, and inactivity are not valid consent. Where you withdraw consent, withdrawal does not affect the lawfulness of processing carried out before withdrawal.

4.2 Contract Performance

Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. We rely on this condition to:

• Provide our cybersecurity platform and services;
• Manage your account and user access;
• Deliver customer support;
• Process payments.

4.3 Legal Obligation

We process data to comply with legal obligations including:

• DIFC and UAE tax, accounting and record-keeping requirements;
• Statutory retention obligations;
• Regulatory reporting and registration with the Commissioner pursuant to Article 14 of the DP Law and Regulation 3;
• Court orders and other legal process.

4.4 Vital Interests

May apply in emergency situations involving the protection of life.

4.5 Public Interest

May apply to tasks related to cybersecurity threat sharing carried out in the public interest.

4.6 Legitimate Interests

Our legitimate interests include:

• Information Security: protecting our systems, network and data from unauthorised access, attacks and breaches.
• Service Improvement: analysing usage patterns to enhance platform functionality and user experience.
• Business Operations: managing our company, conducting audits, and ensuring business continuity.
• Legal Protection: establishing, exercising or defending legal claims.
• Fraud Prevention: detecting and preventing fraudulent activity.

We carry out a balancing assessment for processing relying on this condition to ensure that our interests are not overridden by your rights.

4.7 Special Categories of Personal Data

Where we process Special Categories of Personal Data within the meaning of Article 11 of the DP Law, we do so only under a condition expressly listed in Article 11 (most commonly, your explicit consent, processing necessary in the context of carrying out the obligations and exercising specific rights of the Controller or of the data subject, or processing necessary for the establishment, exercise or defence of legal claims).

5.1 Categories of Recipients

We may share personal data with the following categories of recipients:

Service Providers and Processors:

• Cloud infrastructure providers (hosting and storage)
• Payment processors
• Customer relationship management (CRM) platforms
• Email and communication service providers
• Analytics and monitoring tools
• IT support and maintenance providers

Professional Advisors:

• Legal counsel
• Accountants and auditors
• Insurance providers
• Consultants and professional service firms

Business Partners:

• Authorised resellers and distributors
• Technology integration partners
• Joint marketing partners (with consent)

Regulatory and Legal Authorities:

• The Commissioner of Data Protection (DIFC)
• The Dubai Financial Services Authority and other competent DIFC authorities
• Courts and tribunals (including the DIFC Courts)
• Law-enforcement authorities and regulators with jurisdiction over our operations

5.2 Processor and Sub-Processor Management

We engage processors and sub-processors to assist in delivering our services. These include cloud hosting providers, payment processors, email delivery services, and customer support platforms. We engage processors only under a written contract that imposes obligations substantially equivalent to those that bind us under the DP Law (including those set out in Article 28 of the DP Law), and we record processor and sub-processor relationships in our Record of Processing Activities maintained under Article 15 of the DP Law and Regulation 2.

A current list of processors and sub-processors is available upon request to privacy@enigmacyber.com. We notify customers of any intended changes to sub-processors with at least 30 days' notice.

5.3 No Sale of Personal Data

We do not sell personal data to third parties. We do not engage in data brokering or monetisation of personal information.

5.4 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred to the acquiring or successor entity. We will require the recipient to protect your personal data consistent with this Privacy Policy and the DP Law. You will be notified of any such change in ownership.

5.5 Legal Disclosures

We may disclose personal data when required by Applicable Law, including:

• To comply with legal process (subpoenas, court orders, directions issued by the Commissioner under Article 59 of the DP Law);
• To respond to requests from public authorities with appropriate legal authority;
• To enforce our terms and agreements;
• To protect our rights, property, or safety, or those of our customers or others;
• To prevent fraud or unlawful activity.

6.1 The Transfer Regime Under the DP Law

We transfer personal data outside the DIFC only in accordance with Articles 26 and 27 of the DP Law. Those provisions permit a transfer where:

1. the destination jurisdiction has been determined by the Commissioner to provide an adequate level of protection (see Section 6.2);
2. the transfer is governed by an appropriate safeguard (such as the standard contractual clauses approved by the Commissioner under Regulation 5, or binding corporate rules); or
3. a specific derogation under Article 27 of the DP Law applies (for example, the data subject's explicit consent, performance of a contract, important reasons of public interest, or the establishment, exercise or defence of legal claims).

6.2 Transfers to Adequate Jurisdictions

The Commissioner maintains and publishes a list of jurisdictions that provide an adequate level of protection (the "Commissioner Adequacy List"). At the date of this Privacy Policy, the Commissioner Adequacy List, set out in Appendix 3 of the Regulations, includes (among others): the European Economic Area (each EEA member state listed individually), the United Kingdom, Switzerland, Guernsey, Jersey, the Isle of Man, the Faroe Islands, Andorra, Argentina, Canada, Colombia, Japan, New Zealand, Singapore (including Cross Border Privacy Rules and Privacy Recognition for Processors), South Korea (including Cross Border Privacy Rules), Uruguay, the Abu Dhabi Global Market, and California. The most up-to-date list is published by the Commissioner on the Data Protection section of difc.ae.

6.3 Transfers to Non-Adequate Jurisdictions

For transfers to a jurisdiction not on the Commissioner Adequacy List, we rely on one or more of the following:

• Commissioner-Approved Standard Contractual Clauses. Under Regulation 5 of the Regulations, the Commissioner has approved and published standard contractual clauses for transfers outside the DIFC to a non-adequate jurisdiction. We incorporate these clauses, in their then-current form as published on difc.ae, into our contracts with recipients in such jurisdictions.
• Binding Corporate Rules or another mechanism recognised by the Commissioner, where available.
• Specific Derogations under Article 27 of the DP Law, used only where the derogation is genuinely applicable and not as a routine substitute for a safeguard.

Where applicable, we will notify the Commissioner of transfers to non-adequate jurisdictions in accordance with Regulation 3.

6.4 Specific Destinations

The principal destinations to which we transfer personal data are the European Economic Area and the United Kingdom, both of which are on the Commissioner Adequacy List; no additional transfer mechanism is required for those transfers.

We do not currently rely on transfers to jurisdictions outside the Commissioner Adequacy List. If we engage a processor in a non-adequate jurisdiction in the future, we will update this Privacy Policy and put in place an appropriate safeguard under Section 6.3 before the transfer begins.

6.5 Additional Safeguards

Regardless of the legal basis for the transfer, we apply additional technical and organisational measures including encryption in transit (TLS 1.2 or higher), encryption at rest (AES-256), access controls and authentication, and contractual confidentiality obligations on recipients.

You may request a copy of the transfer safeguards we rely on (with confidential commercial terms redacted) by writing to dpo@enigmacyber.com.

7.1 Retention Principle

We keep personal data in a form that permits identification of data subjects for no longer than is necessary for the purposes for which it was processed, in accordance with the storage-limitation principle of Article 9 of the DP Law.

7.2 Specific Retention Periods

The following table sets out our standard retention periods. Specific engagements may require shorter or longer periods, in which case the period agreed with the customer applies.

7.3 Retention Criteria

The specific retention period for any given dataset depends on:

• the nature and sensitivity of the data;
• the purpose of processing;
• legal and regulatory retention requirements under DIFC and UAE law;
• contractual obligations with our customers; and
• the existence of, or reasonable anticipation of, a legal claim.

7.4 Deletion and Anonymisation

At the end of the retention period we securely delete the personal data using industry-standard methods, or anonymise it so that data subjects can no longer be identified, and we maintain evidence of deletion as part of our Record of Processing Activities. Upon termination of a customer engagement, we return or delete personal data processed on behalf of the customer in accordance with our Data Processing Agreement.

8.1 Security Commitment

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction, as required by Article 14 of the DP Law. The measures we apply take account of the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects.

8.2 Technical Measures

Encryption:

• Data in transit: TLS 1.2 or higher for all data transmissions
• Data at rest: AES-256 encryption for stored data
• Key management: Hardware Security Modules (HSMs) for key protection

Access Controls:

• Role-based access control (RBAC)
• Multi-factor authentication (MFA) for all administrative access
• Principle of least privilege
• Regular access reviews and recertification

Network Security:

• Firewalls and intrusion detection / prevention systems
• Network segmentation and isolation
• DDoS protection
• Regular vulnerability scanning and penetration testing

System Security:

• Regular security patching and updates
• Anti-malware and endpoint protection
• Secure software development lifecycle (SDLC)
• Code review and security testing

8.3 Organisational Measures

Policies and Procedures:

• Information Security Policy (aligned with ISO 27001)
• Acceptable Use Policy
• Incident Response Plan
• Business Continuity and Disaster Recovery Plan

Personnel Security:

• Background checks for employees with data access
• Confidentiality undertakings
• Regular security awareness training
• Phishing simulation exercises

Physical Security:

• Secure data-centre facilities with access controls
• Environmental controls and monitoring
• Equipment disposal procedures

8.4 Personal Data Breach Notification

If we become aware of a Personal Data Breach within the meaning of the DP Law, we will:

• notify the Commissioner of Data Protection without undue delay after becoming aware, by writing to commissioner@dp.difc.ae or by submitting the form published on the Data Protection section of difc.ae, in accordance with Regulation 8.1;
• where the Commissioner so directs under Regulation 8.2, communicate the Personal Data Breach to affected data subjects or make a public communication by an appropriate means;
• in respect of personal data processed on behalf of a customer, notify the customer's designated contact without undue delay after we confirm the breach affects their data, as required by the relevant Data Processing Agreement; and
• maintain an internal breach register as part of our Record of Processing Activities.

8.5 Limits of Our Obligations

While we implement reasonable security measures appropriate to the risk, no method of data transmission or storage can be guaranteed to be completely secure. Our liability for security incidents is governed by, and limited to the extent permitted under, our Terms of Service and the DP Law.

Under the DP Law, you have the following rights in respect of your personal data. Several of these rights are subject to conditions and limitations set out in the DP Law and the Regulations.

9.1 Right of Access

You may request confirmation of whether we process your personal data, access to that data, and a copy in a commonly used electronic form, together with information about the purposes, categories of recipients, retention period, the source of the data (if not collected from you), and the existence of any automated decision-making.

9.2 Right to Rectification

You may request correction of inaccurate personal data and completion of incomplete data. Where rectification of certain data is not technically feasible, we will rely on the disclosure made to you under Article 29 of the DP Law and will not be required to make the change beyond what is technically feasible.

9.3 Right to Erasure

You may request erasure of your personal data where any of the conditions in Article 33(2) of the DP Law applies, including where:

• the data is no longer necessary for its original purpose;
• you withdraw consent and there is no other lawful processing condition;
• the processing is unlawful or erasure is required by Applicable Law; or
• you have objected to the processing and there is no overriding legitimate ground for continuing.

The right to erasure does not apply where processing remains necessary for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims.

9.4 Right to Object and Right to Restrict Processing

You may object to processing of your personal data where we rely on legitimate interests, and you may ask us to restrict processing in the circumstances permitted by the DP Law (for example, while we verify the accuracy of disputed data).

9.5 Right to Withdraw Consent

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. The withdrawal mechanism is at least as easy to use as the mechanism by which consent was given.

9.6 Right to Lodge a Complaint with the Commissioner

You have the right to lodge a complaint with the Commissioner of Data Protection at the DIFC at any time. The Commissioner may investigate, mediate, or issue a direction (Article 60 of the DP Law). Multiple data subjects may lodge a complaint collectively in respect of the same alleged contravention. Contact details for the Commissioner are set out in Section 17.

9.7 Right to Apply to the DIFC Courts

You may apply to the DIFC Courts in accordance with Article 63 of the DP Law (typically within 30 days of a finding by the Commissioner), and an appeal lies from the Court of First Instance to the Court of Appeal as provided in that Article.

9.8 How to Exercise Your Rights

To exercise any of these rights:

1. Send a written request to privacy@enigmacyber.com or dpo@enigmacyber.com.
2. Provide proof of identity sufficient for us to confirm we are responding to the data subject (for example, a copy of an identity document with sensitive information redacted). We may ask for additional information; the response clock does not start until your identity has been reasonably verified, as permitted by Article 33(12) of the DP Law.
3. Specify which right you are exercising and provide relevant details.
4. We will respond without undue delay and in any event within one month of verified receipt, as required by Article 33 of the DP Law. We may extend that period by a further two months where necessary, taking into account the complexity and number of requests, and we will inform you of any extension within the first month, as permitted by Article 33(7) of the DP Law.
5. The first response is free of charge. Where a request is manifestly unfounded or excessive (in particular because of its repetitive character), we may either charge a reasonable fee or refuse to act on the request, in which case we will record the reasons in the register required by Article 33(9) of the DP Law and inform you of your right to complain to the Commissioner.

9.9 Restrictions on the Right of Access

Access may be restricted where, and to the extent that, restriction is a necessary and proportionate measure under Article 33(15) of the DP Law (for example, to avoid obstructing an official inquiry, to protect the prevention, investigation or prosecution of criminal offences, to protect public or national security, or to protect the rights of others). Where we restrict access, we will inform you of the restriction, the reasons (so far as doing so would not undermine the purpose), and your right to complain to the Commissioner and to apply to the DIFC Courts.

Our cybersecurity platform uses machine-learning models and analytics that meet the definition of an autonomous or semi-autonomous System in Regulation 10 of the Regulations (a machine-based system that processes personal data for human-defined or self-defined purposes, and generates output as a result of that processing).

10.1 Where We Use Systems

We use Systems primarily for:

• Detection and triage of security events, alerts, and anomalies in network and endpoint telemetry;
• Risk scoring and prioritisation of vulnerabilities; and
• Enrichment of threat-intelligence indicators.

10.2 Disclosures We Make About Our Systems

In accordance with Regulation 10.2.2 of the Regulations, we disclose:

• (i) Human-defined purposes. The Systems are used to assist our analysts in detecting, prioritising and responding to security events on behalf of our customers, and to operate our platform.
• (ii) Self-defined purposes and limits. Where a System is permitted to define further purposes within human-set principles (for example, to identify new categories of anomaly in telemetry), those purposes operate within the limits of (a) cybersecurity detection and response only; (b) processing minimised to security metadata; and (c) human review before any consequential outcome that affects an individual.
• (iii) Output. Outputs include security alerts, risk scores, and recommended response actions. Outputs are reviewed by our analysts and customer security teams before any action is taken that materially affects an individual.
• (iv) Design principles. The Systems are designed with safeguards including minimisation, segregation of customer telemetry, audit logging of System decisions, and human-in-the-loop review for consequential outputs.
• (v) Codes and standards applied. The Systems are designed and operated with reference to the NIST AI Risk Management Framework. We do not currently claim adherence to any other external code or principles in respect of our Systems.

10.3 Your Rights in Respect of System Processing

You have the right to submit a complaint to us challenging the outcome of any processing of your personal data by a System (Regulation 10.3.5 of the Regulations), and you may complain to the Commissioner in accordance with Article 60 of the DP Law. We do not use Systems to take solely automated decisions producing legal or similarly significant effects on individuals; consequential outputs are reviewed by our analysts or the customer's security team before any action is taken.

10.4 Evidence and Audit

On request from the Commissioner or, in appropriate cases, a data subject, we will make available the evidence required by Regulation 10.2.2(c) to (g), including records demonstrating audit and certification compliance, algorithms triggering human intervention, lawful-basis records, and joint-controller and processor arrangements.

10.5 High-Risk Processing

Our use of Systems constitutes High Risk Processing within the meaning of the DP Law. We accordingly apply the additional requirements of Regulation 10.3.3, including undertaking the Data Protection Impact Assessment process required by Article 20 of the DP Law. Our Data Protection Officer also serves as the Autonomous Systems Officer required by Regulation 10.3.3(d) and can be contacted at dpo@enigmacyber.com.

11.1 Categories of Cookies

Our website and platform use cookies and similar technologies. We use:

• Strictly necessary cookies — required for core functionality (authentication, security, session management). These are set on the basis of legitimate interest and cannot be disabled without affecting the service.
• Functionality cookies — to remember preferences and settings. Set with your consent.
• Analytics cookies — to understand website usage and improve our services. Set with your consent; data is aggregated and where possible anonymised.
• Marketing cookies — to deliver relevant communications and to measure campaign effectiveness. Set only with your consent.

11.2 Consent for Digital Communications and Services

Where we process personal data for the purposes of enabling Digital Communications and Services within the meaning of Regulation 9 of the Regulations (including cookies, behavioural advertising, direct marketing and pixel, in-app, and cross-app tracking), we:

• give you notice in clear, concise, transparent, intelligible and easily accessible plain language at the time of collection;
• give you an opportunity to opt out on first collection;
• set default privacy preferences to the minimum data necessary;
• present consent through colour-neutral selection mechanisms (we do not use pre-ticked boxes, silence, or inactivity as a basis for consent); and
• provide an easily accessible preferences dashboard where you can review and change your selections, and a clear means of withdrawing consent at any time.

11.3 Cookie Management

You can manage cookie preferences through:

• our cookie consent banner (which appears on first visit and is accessible at any time through the preferences dashboard);
• your browser settings (Chrome, Firefox, Safari, Edge — see each browser's documentation); and
• third-party opt-out tools as applicable.

11.4 Cookie Policy

For detailed information about each cookie we set, including provider, purpose and retention period, please refer to our Cookie Policy.

11.5 "Do Not Track"

We do not currently respond to "Do Not Track" browser signals; you can manage tracking through the mechanisms above.

12.1 External Links

Our website and communications may contain links to third-party websites, services or resources. This Privacy Policy does not apply to those third parties.

12.2 Disclaimer

We are not responsible for:

• the privacy practices of third-party websites;
• the content or security of external sites; or
• any personal data you provide to third parties.

Access to third-party services is at your sole discretion and risk. We recommend reviewing the privacy notices of any third-party sites you visit.

12.3 Integrated Third-Party Services

Our platform may integrate with third-party services (for example, single-sign-on providers, cloud storage). Your use of these integrations is subject to the third party's terms and privacy notice.

13.1 Not Directed at Children

Our services are designed for, and directed at, businesses and organisations. We do not knowingly collect personal data from children.

13.2 Age Verification

Our services are intended for use by individuals who are at least 18 years of age. By using our services, you represent that you are at least 18 years old and that you have authority to bind the organisation on whose behalf you are using our services.

13.3 Discovery of Children's Data

If we become aware that we have collected personal data from a child without an appropriate basis, we will take immediate steps to delete the information, terminate any associated account, and notify the relevant customer organisation. If you believe we may have collected data from a child, please contact us immediately at privacy@enigmacyber.com.

14.1 Controller and Processor Roles

When we act as Controller. For data we collect directly from you (for example, account information, website usage, direct communications), Enigma Labs Technology Limited is the Controller and this Privacy Policy applies.

When we act as Processor. For personal data our customers upload to or process through our platform (for example, employee or end-user data sent to our platform for monitoring, identity management, or incident response), our customer is the Controller and Enigma Labs Technology Limited acts as a Processor. Our processing is governed by the Data Processing Agreement we enter into with the customer.

14.2 Our Processor Obligations

When acting as a Processor we:

• process personal data only on the documented instructions of the Controller;
• ensure personnel who handle the data are under appropriate confidentiality obligations;
• implement appropriate technical and organisational measures;
• engage sub-processors only with the Controller's authorisation, and on terms that impose obligations substantially equivalent to those that bind us;
• assist the Controller in responding to data-subject requests;
• assist the Controller with security and Personal Data Breach notification obligations under Articles 41 and 42 of the DP Law;
• delete or return personal data at the end of the engagement, in accordance with the Controller's instruction; and
• make available the information necessary for the Controller to demonstrate compliance.

14.3 Data Processing Agreement

Customers must execute our Data Processing Agreement, which:

• documents our processor obligations under Article 28 of the DP Law;
• specifies the subject matter, duration, nature and purpose of processing;
• defines the types of personal data and data subjects;
• lists authorised sub-processors; and
• incorporates Commissioner-approved standard contractual clauses where the engagement involves cross-border transfers.

To request a copy of our Data Processing Agreement, contact privacy@enigmacyber.com or your account representative.

14.4 Customer Responsibilities

As Controllers, our customers are responsible for:

• determining the lawful basis for processing end-user data;
• providing privacy notices to their employees and end-users;
• responding to data-subject requests regarding their data; and
• ensuring that the processing instructions they give us comply with the DP Law and other Applicable Law.

14.5 Record of Processing Activities

We maintain a Record of Processing Activities in accordance with Article 15 of the DP Law and Regulation 2 of the Regulations. The Record is available to the Commissioner on request.

15.1 Policy Updates

We may update this Privacy Policy from time to time to reflect:

• changes in our business practices;
• new products or services;
• legal and regulatory developments (including amendments to the DP Law, new Commissioner regulations or guidance, or updates to the Commissioner Adequacy List); and
• changes in technology or security practice.

15.2 Notification of Changes

• Material changes: we will notify you by email or by prominent notice on our website at least 30 days before the changes take effect.
• Non-material changes: we may update the policy without prior notice; the "Last Updated" date in the frontmatter will reflect the change.

15.3 Version Control

This Privacy Policy is version-controlled through the version number, effective date, and last-updated date set out in the frontmatter and in Section 18. Previous versions are available on request.

15.4 Acceptance of Changes

Continued use of our services after changes take effect constitutes acceptance of the revised Privacy Policy. If you do not agree with the changes, please discontinue use of our services.

16.1 Governing Law

This Privacy Policy, and any non-contractual obligations arising out of or in connection with it, shall be governed by and construed in accordance with the laws of the Dubai International Financial Centre.

16.2 Jurisdiction

Subject to the rights of data subjects to lodge complaints with the Commissioner of Data Protection and to apply to the DIFC Courts under Article 63 of the DP Law, any disputes arising out of or in connection with this Privacy Policy shall be subject to the exclusive jurisdiction of the DIFC Courts (the Court of First Instance and, on appeal, the Court of Appeal).

16.3 Alternative Dispute Resolution

We encourage amicable resolution of disputes. Before initiating legal proceedings, please contact us at privacy@enigmacyber.com to attempt resolution. We will acknowledge privacy complaints within 5 business days and provide a substantive response within 30 days.

16.4 Force Majeure

We shall not be liable for any failure or delay in performing our obligations under this Privacy Policy where such failure or delay results from circumstances beyond our reasonable control.

16.5 Severability

If any provision of this Privacy Policy is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be severed and the remaining provisions shall continue in full force and effect.

16.6 Entire Agreement

This Privacy Policy, together with our Terms of Service and Data Processing Agreement (where applicable), constitutes the entire agreement between you and Enigma Labs Technology Limited regarding the processing of personal data and supersedes prior agreements and understandings on that subject matter.

16.7 Waiver

No waiver of any provision of this Privacy Policy shall be effective unless in writing and signed by the waiving party. Failure to enforce any right shall not constitute a waiver of that right.

17.1 Privacy Inquiries

For general privacy questions, data-subject requests, or concerns about this Privacy Policy:

Email: privacy@enigmacyber.com

Postal Address: Enigma Labs Technology Limited Attn: Privacy Team IH-00-01-01-OF-01, Level 1, Innovation One, Dubai International Financial Centre, Dubai, United Arab Emirates

17.2 Data Protection Officer

DPO Contact:

• Email: dpo@enigmacyber.com
• Postal Address: as above, Attn: Data Protection Officer

17.3 Supervisory Authority

You have the right to lodge a complaint with the Commissioner of Data Protection at the DIFC at any time:

Commissioner of Data Protection Office of the Commissioner of Data Protection Level 14, The Gate, PO Box 74777 Dubai, United Arab Emirates Breach reporting: commissioner@dp.difc.ae Web portal: the Data Protection section of difc.ae

17.4 General Support

For non-privacy-related support inquiries:

• Email: support@enigmacyber.com
• Website: https://enigmacyber.com/support

This Privacy Policy was prepared in accordance with the DIFC Data Protection Law No. 5 of 2020 (as amended) and the DIFC Data Protection Regulations.