Trust Centre
Your trust. Our foundation.
ShieldIQ exists to make cybersecurity understandable, actionable, and verifiable for Irish SMEs. This page sets out how we work, what we commit to, and how we handle your data.
Plain English, always
No consultant jargon. Every report, policy, or assessment is written so you can act on it. If you can't understand it, we haven't done our job.
Security by default
We practise what we preach. Your data stays in the EU, encrypted in transit and at rest, with role-based access controls and full audit logging.
No surprises
Fixed-scope engagements, transparent pricing, and clear success criteria agreed upfront. You know what you're getting and what it costs before we begin.
Independent, not captive
We're vendor-agnostic. Our recommendations serve your security posture — not a reseller margin. No hidden referral fees, ever.
What we help you meet
Frameworks we work with
Our consulting engagements and the ShieldIQ Platform cover the standards Irish and EU businesses are expected to demonstrate against.
SHIELDIQ CYBER
Privacy Policy
app.shieldiqcyber.com
Last updated: April 2026
1. Introduction
ShieldIQ Cyber (“we”, “us”, “our”) operates the ShieldIQ compliance assessment platform at app.shieldiqcyber.com (the “Platform”). This Privacy Policy explains what personal data we collect, why we collect it, how we store and protect it, and your rights under the General Data Protection Regulation (GDPR) and other applicable data protection legislation.
We are committed to protecting your privacy and handling your data with transparency. ShieldIQ is an EU-based service, hosted entirely within the European Union, and designed with data protection principles at its core.
Data Controller: ShieldIQ Cyber, operated by Dr. Matt Lemon. For any data protection queries, contact: privacy@shieldiqcyber.com
2. Data We Collect
We collect only the data necessary to provide the Platform’s services. The table below summarises every category of personal data we process.
Data Category | Specific Data Collected | Purpose | Lawful Basis |
Account Information | Email address, company name, hashed password | Account creation, authentication, communication | Contract (Art. 6(1)(b)) |
Assessment Responses | Answers to framework questionnaires (NIST CSF, NIS2, GDPR, etc.) | Generate compliance scores and AI analysis | Contract (Art. 6(1)(b)) |
Assessment Results | AI-generated scores, category analysis, priority actions, reports | Deliver compliance assessment service | Contract (Art. 6(1)(b)) |
Network Scan Data | Target IP/domain, open ports, services, vulnerability findings | Network vulnerability assessment | Contract (Art. 6(1)(b)) |
Evidence Uploads | Files uploaded by user (policies, screenshots, certificates) | Support compliance evidence management | Contract (Art. 6(1)(b)) |
Organisation Data | Team member emails, roles, shared assessment access | Team collaboration features | Contract (Art. 6(1)(b)) |
Billing Information | Subscription plan, payment status (processed by Stripe — we do not store card details) | Process payments and manage subscriptions | Contract (Art. 6(1)(b)) |
Usage Analytics | Page views, feature usage, assessment completion rates (via Plausible Analytics — no personal identifiers) | Improve the Platform | Legitimate Interest (Art. 6(1)(f)) |
Technical Data | Browser type, IP address (anonymised in analytics), device type | Security, debugging, service delivery | Legitimate Interest (Art. 6(1)(f)) |
2.1 Data We Do Not Collect
- We do not collect or store credit card numbers, bank account details, or payment card data. All payment processing is handled by Stripe, who act as an independent data controller for payment data.
- We do not use tracking cookies, advertising pixels, or behavioural profiling tools.
- We do not sell, rent, or trade your personal data to any third party.
- We do not collect special category data (health, biometric, political opinions, etc.).
3. How We Use Your Data
We process your data exclusively for the following purposes:
- To create and manage your account on the Platform
- To process your assessment responses through our AI analysis engine and generate compliance scores, reports, and recommendations
- To perform network vulnerability scans on targets you submit (with your confirmed authorisation)
- To manage your subscription and process payments via Stripe
- To send transactional emails: assessment results, account notifications, password resets, and scheduled reassessment reminders
- To enable team collaboration features within your organisation
- To improve the Platform based on aggregated, anonymised usage analytics
- To respond to your support queries and communications
We do not use your data for: marketing to third parties, automated individual decision-making with legal effects, profiling, or any purpose beyond delivering and improving the Platform service.
4. AI Processing of Assessment Data
A core feature of the Platform is AI-powered analysis of your assessment responses. It is important that you understand how this works.
4.1 How AI Analysis Works
When you complete an assessment, your responses are sent to a third-party AI language model API for analysis. The AI evaluates each response against the relevant compliance framework and generates scores, written analysis, and prioritised recommendations.
4.2 What Is Sent to the AI
- Your assessment responses (the answers you provide to framework questions)
- The framework context (e.g., NIST CSF category descriptions, NIS2 requirements)
- Your company name (for contextualising the report)
4.3 What Is Not Sent to the AI
- Your email address or password
- Your billing or payment information
- Network scan results
- Evidence uploads
4.4 AI Data Retention
We use our AI provider’s API under a zero-data-retention agreement where available. This means your assessment responses are processed by the AI model in real-time and are not retained by the AI provider for training, logging, or any other purpose beyond generating the immediate response. The generated analysis is stored on our own infrastructure, not on the AI provider’s systems.
5. Data Storage & Infrastructure
5.1 Where Your Data Is Stored
All data is stored within the European Union. Our infrastructure is hosted on Amazon Web Services (AWS) in the eu-west-1 region (Dublin, Ireland). The application runs as Docker containers with:
- Application server container
- MySQL database container (encrypted at rest)
- Encrypted disk volumes for all stored data including evidence uploads and backups
- Encrypted communication between application and database containers
Your data does not leave the EU for storage purposes. The only data that traverses outside the EU is assessment response data sent to the AI API for processing (see Section 4), which is subject to appropriate safeguards.
5.2 Encryption
We employ encryption at multiple layers to protect your data:
Layer | Method | Details |
Data in transit (HTTPS) | TLS 1.2 / 1.3 | All connections to the Platform are encrypted via HTTPS. No unencrypted HTTP access is permitted. |
Data in transit (internal) | Encrypted connection | Communication between application server and database server Docker containers is encrypted in transit. |
Data at rest (database) | MySQL encryption | MySQL database is configured with encryption at rest for all data and log files. |
Data at rest (disk) | Encrypted volume | The underlying server disk volumes are encrypted, covering all stored data including uploads, reports, and backups. |
Passwords | bcrypt | Passwords are hashed using bcrypt with a unique salt per user. We never store plaintext passwords. |
Backups | Encrypted | Database backups are stored on encrypted volumes. |
5.3 Access Controls
Access to production infrastructure and customer data is restricted to the ShieldIQ founder and any authorised personnel, using multi-factor authentication (MFA), SSH key-based access, and the principle of least privilege. There is no shared or generic access to production systems.
6. Third-Party Data Processors
We use a limited number of third-party services to operate the Platform. Each acts as a data processor under a Data Processing Agreement (DPA) or equivalent contractual terms.
Processor | Purpose | Data Processed | Location / Safeguards |
Amazon Web Services (AWS) | Cloud hosting, database, file storage, email delivery (SES) | All platform data | EU (Dublin, eu-west-1). AWS DPA in place. |
AI Language Model Provider | AI analysis of assessment responses | Assessment responses, company name, framework context | US-based API. EU SCCs in place. Zero-data-retention where available. |
Stripe | Payment processing and subscription management | Email, plan details. Stripe independently controls card data. | EU processing available. Stripe DPA in place. |
Plausible Analytics | Privacy-friendly website analytics | Anonymised page views, referrers, device type. No personal identifiers. | EU-hosted. No cookies. GDPR compliant by design. |
We do not use Google Analytics, Facebook Pixel, or any other tracking technology that profiles users or shares data with advertising networks.
7. Cookies & Local Storage
7.1 Essential Storage
The Platform uses browser localStorage (not cookies) for the following essential functions:
- Authentication token: keeps you logged in during your session
- Assessment draft auto-save: preserves your progress if you navigate away mid-assessment
- Dark mode preference: remembers your theme setting
- Cookie/storage consent preference: records your consent choice
These are strictly necessary for the Platform to function and do not require consent under GDPR.
7.2 Analytics
If you consent, Plausible Analytics collects anonymised usage data. Plausible does not use cookies and does not collect personal identifiers. You can opt out at any time via the Platform’s cookie consent banner. If you select “Essential Only”, no analytics data is collected.
7.3 We Do Not Use
- Tracking cookies
- Third-party advertising cookies
- Cross-site tracking or fingerprinting
- Session replay or screen recording tools
8. Data Retention
We retain your data only for as long as necessary to provide the service and comply with legal obligations.
Data Type | Retention Period | After Deletion |
Account data | Retained while your account is active. Deleted within 30 days of account deletion request. | Permanently erased from database and backups within 90 days. |
Assessment responses & results | Retained while your account is active. | Deleted with account. Individual assessments can be deleted at any time by the user. |
Network scan results | Retained for 12 months, then automatically purged. | Permanently deleted. |
Evidence uploads | Retained while your account is active. | Files permanently deleted from S3 within 30 days of account deletion. |
Billing records | Retained for 7 years as required by Irish/EU tax and accounting regulations. | Deleted after the statutory retention period. |
Server logs | Retained for 30 days for security and debugging purposes. | Automatically purged. |
9. Your Rights Under GDPR
As an EU/EEA data subject, you have the following rights. We will respond to any request within 30 days.
- Right of Access (Art. 15): You can request a copy of all personal data we hold about you.
- Right to Rectification (Art. 16): You can request correction of inaccurate personal data.
- Right to Erasure (Art. 17): You can request deletion of your account and all associated data.
- Right to Restriction (Art. 18): You can request we restrict processing of your data in certain circumstances.
- Right to Data Portability (Art. 20): You can request your data in a structured, machine-readable format (CSV/JSON).
- Right to Object (Art. 21): You can object to processing based on legitimate interest.
- Right to Withdraw Consent: Where processing is based on consent (analytics), you can withdraw at any time.
- Right to Lodge a Complaint: You have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at dataprotection.ie, or your local supervisory authority.
To exercise any of these rights, email: privacy@shieldiqcyber.com
We will verify your identity before processing any request. We do not charge a fee for reasonable requests.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify the Irish Data Protection Commission within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Document the breach, its effects, and the remedial action taken in our internal breach register
11. International Data Transfers
Your data is stored entirely within the EU (AWS Dublin, eu-west-1). The only international transfer occurs when assessment response data is sent to a third-party AI language model API for analysis. The AI provider is US-based. This transfer is protected by:
- EU Standard Contractual Clauses (SCCs) incorporated into our agreement with the AI provider
- Zero-data-retention configuration where available, meaning your data is processed in real-time and not stored by the AI provider
- Technical measures: data is transmitted over encrypted connections (TLS 1.2 / 1.3) and only the minimum data necessary for analysis is sent
12. Children’s Data
The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice on the Platform. The “Last updated” date at the top of this policy will always reflect the most recent revision.
14. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us:
Data Controller: ShieldIQ Cyber
Contact: Dr. Matt Lemon
Email: privacy@shieldiqcyber.com
Website: app.shieldiqcyber.com
Supervisory Authority: Irish Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. Website: dataprotection.ie
End of Privacy Policy