CyStack logo
  • Products & Services
  • Solutions
  • Pricing
  • Company
  • Resources
En

en

    Last updated: 03/24/2026

    This Privacy Policy explains how Vietnam CyStack JSC and its affiliates ("CyStack," "we," "us," or "our") collect, use, store, and share personal data when you access our websites, platforms, and services (collectively, the "Services").

    By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please discontinue use of the Services. Capitalized terms not defined here have the meanings assigned in our Terms of Service.

    1. Scope

    This Privacy Policy applies to all CyStack products and services, including:

    • CyStack Platform - cystack.net and associated management dashboards
    • Locker Password Manager - locker.io
    • CyStack Endpoint - endpoint protection and data loss prevention (DLP)
    • WhiteHub - bug bounty and vulnerability disclosure platform
    • CyStack VulnScan - automated vulnerability scanning
    • Data Leak Detection - credential and data exposure monitoring
    • Professional Services - penetration testing, red teaming, infrastructure and blockchain audits, SOC, DFIR, vulnerability management, and security training

    Where a product has additional or specific data handling practices, they are described in Section 4 of this Policy.

    2. Data We Collect

    2.1 Information You Provide

    Note on credentials: Server credentials provided for security assessment engagements are used solely within the contracted scope and duration, and are deleted upon completion unless otherwise agreed in writing.

    2.2 Information Collected Automatically

    • Device and browser data: Operating system, browser type and version, device identifiers, and IP address. Used for account security, service optimization, and regulatory compliance (e.g., displaying region-specific notices based on IP geolocation).
    • Usage data: Pages visited, features used, timestamps, and interaction patterns. Used to improve service performance and user experience.
    • Cookies and similar technologies: We use essential cookies for core functionality, analytics cookies (e.g., Google Analytics) to understand usage patterns, and affiliate cookies to track referral partnerships. You can manage cookie preferences through your browser settings or our cookie consent mechanism where applicable.

    2.3 Information from Third Parties

    • Social sign-in: If you authenticate via Google, GitHub, Facebook, or similar providers, we receive only your default public profile information (typically email and avatar).
    • Payment processors: Our payment partners share your name and billing address for account verification. CyStack does not store payment card numbers on its systems.
    • Analytics providers: We receive aggregated and pseudonymized usage data from analytics services for application performance monitoring.

    3. How We Use Your Data

    We process personal data for the following purposes:

    • Service delivery: To provide, operate, maintain, and improve the Services.
    • Account management: To create and manage your account, verify your identity, and process transactions.
    • Security: To detect, prevent, and respond to fraud, abuse, security threats, and technical issues.
    • Communication: To send service-related notifications, respond to inquiries, and provide support.
    • Product improvement: To analyze usage patterns and improve functionality, usability, and performance of our Services.
    • Legal compliance: To comply with applicable laws, regulations, and legal processes.
    • Marketing: To send product updates, security advisories, and promotional content - only with your consent or where permitted by applicable law. You may opt out at any time via the unsubscribe link in any marketing email. We will process your opt-out request within 7 business days.

    4. Product-Specific Data Practices

    4.1 Locker Password Manager

    Locker uses a zero-knowledge, end-to-end encryption architecture. Your vault data - including passwords, secure notes, payment cards, and other stored items - is encrypted locally on your device using a key derived from your Master Password before transmission to our servers.

    CyStack cannot access your Master Password or your vault data in decrypted form. If you lose your Master Password, we cannot recover your vault.

    Data CyStack can access: account email, subscription status, device metadata, and aggregate usage statistics (e.g., item count - not item content).

    4.2 CyStack Endpoint

    CyStack Endpoint collects device-level data required for endpoint protection and DLP functions, including device identifiers, OS and software inventory, file activity logs, network connection metadata, and policy compliance status. Data collection is limited to the security functions enabled by your organization's administrator and governed by your organization's service agreement.

    4.3 WhiteHub

    Researcher profiles, vulnerability reports, proof-of-concept materials, and communication history are stored to operate the bug bounty platform. Program owners (organizations) can access reports submitted to their programs. Researcher identity is shared with program owners only with the researcher's consent or as necessary for reward processing.

    4.4 VulnScan & Data Leak Detection

    These services scan publicly accessible assets and external data sources. Scan results - including discovered vulnerabilities and exposed credentials - are stored within your account and accessible only to authorized users in your organization.

    4.5 Professional Services

    For penetration testing, red teaming, security audits, DFIR, SOC, and related engagements, data handling is governed by the service agreement with your organization. Assessment findings and deliverables are provided exclusively to the contracting organization. All engagement data is deleted from CyStack systems according to the agreed retention schedule.

    5. Data Sharing

    CyStack does not sell, rent, or trade your personal data.

    We may share data in the following limited circumstances:

    • Service providers: With trusted third-party vendors who assist in operating our Services (e.g., cloud infrastructure, payment processing, analytics), bound by data processing agreements requiring equivalent data protection.
    • Within your organization: For enterprise products (CyStack Endpoint, WhiteHub), authorized administrators within your organization may access service data as part of normal product functionality.
    • Legal obligations: When required by applicable law, regulation, court order, or governmental authority.
    • Business transfers: In connection with a merger, acquisition, or asset sale, your data may transfer to the successor entity under equivalent privacy protections. We will notify you before such transfer takes effect.

    6. Data Retention

    We retain personal data only for as long as necessary to fulfill the purposes described in this Policy:

    • Active accounts: Data is retained for the duration of your account or service agreement.
    • After account deletion: Personal data is deleted or anonymized within 30 days of account deletion, except where longer retention is required for legal, tax, or accounting obligations.
    • General limit: Where no specific retention requirement applies, we do not retain personal data for longer than two (2) years after your last interaction with us.
    • Professional services: Engagement data is retained according to the schedule specified in each service agreement.

    7. Data Security

    We implement technical and organizational measures to protect your data, including encryption in transit (TLS 1.2+) and at rest (AES-256), access controls based on the principle of least privilege, regular internal and external security assessments, and continuous monitoring with real-time alerting.

    For a detailed description of our security practices, see our Security page.

    8. International Data Transfers

    CyStack is headquartered in Vietnam with operations in Canada, and engages service providers in various countries. When personal data is transferred outside your jurisdiction, we ensure appropriate safeguards are in place.

    For transfers from the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. For transfers of Vietnamese citizens' data, we comply with the cross-border data transfer requirements under Vietnam's Law on Personal Data Protection (Law No. 91/2025/QH15), including conducting Data Protection Impact Assessments (DPIA) and filing transfer dossiers with the Ministry of Public Security as required.

    9. Compliance with Vietnamese Law

    CyStack complies with Vietnam's data protection framework, including:

    • Law on Personal Data Protection (Law No. 91/2025/QH15), effective January 1, 2026, which establishes comprehensive rights for data subjects and obligations for data controllers and processors.
    • Decree No. 356/2025/NĐ-CP on Personal Data Protection, effective January 1, 2026, which introduced foundational requirements for consent, data processing, impact assessments, and cross-border transfers.
    • Law on Cybersecurity (Law No. 24/2018/QH14) and its implementing Decree No. 53/2022/NĐ-CP.

    Under these regulations, CyStack fulfills the following obligations:

    • Obtaining clear, informed consent before collecting and processing personal data, in compliance with statutory requirements for consent form and content.
    • Distinguishing between basic personal data and sensitive personal data, and applying enhanced protections for sensitive data categories.
    • Maintaining Data Protection Impact Assessment (DPIA) records for data processing activities as required.
    • Appointing a designated data protection function responsible for overseeing compliance.
    • Notifying the competent authority (Ministry of Public Security) in the event of a personal data breach, within the timeframe prescribed by law.
    • Complying with cross-border data transfer requirements, including impact assessments and regulatory filings when transferring Vietnamese citizens' data outside Vietnam.

    10. Your Rights Under Vietnamese Law

    Under the Law on Personal Data Protection (Law No. 91/2025/QH15), you have the following rights:

    • Right to be informed: Know what personal data is collected and how it is processed.
    • Right to consent: Provide or withdraw consent for the processing of your personal data.
    • Right of access: Request a copy of the personal data we hold about you.
    • Right to rectification: Request correction of inaccurate or incomplete data.
    • Right to erasure: Request deletion of your personal data. If you delete your CyStack account, your data will be deleted in accordance with Section 6.
    • Right to restrict processing: Request limitation of data processing activities in certain circumstances.
    • Right to object: Object to the processing of your personal data where processing is based on legitimate interests.
    • Right to data portability: Request your personal data in a structured, commonly used, and machine-readable format.

    To exercise any of your rights, please contact us at security@cystack.net. We will respond within the timeframes prescribed by law, specifically as follows:

    • Initial Response: Within 02 working days from the receipt of a valid request (regarding withdrawal of consent, deletion, correction, etc.).
    • Completion of Consent Withdrawal: Within 15 days.
    • Completion of Access and Correction Rights: Within 10 to 15 days.
    • Completion of Data Deletion Rights: Within 20 to 30 days

    11. Your Rights Under GDPR (EEA Users)

    If you are located in the European Economic Area (EEA), the following additional provisions apply:

    Data Controller: Vietnam CyStack JSC acts as the data controller for personal data processed through the Services.

    Legal Bases for Processing:

    • Performance of contract: Processing necessary to provide you with the Services under our Terms of Service.
    • Legitimate interest: Administering business communications, ensuring service security and reliability, and understanding how our products are used - balanced against your rights and interests.
    • Consent: For marketing communications and any other processing where consent is the applicable legal basis. You may withdraw consent at any time without affecting the lawfulness of prior processing.

    Your GDPR Rights:

    In addition to the rights listed in Section 10, EEA users may:

    • Object to processing based on legitimate interests (including for marketing purposes).
    • Request data portability (where processing is based on consent and carried out by automated means).
    • Lodge a complaint with a supervisory authority in your member state.

    12. Children's Data

    CyStack Services are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without appropriate parental or guardian consent, we will take steps to delete such data promptly. If you believe we may have collected data from a child, please contact us at security@cystack.net.

    13. Changes to This Policy

    We may update this Privacy Policy to reflect changes in our practices, products, or applicable laws. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you via email or in-product notification. We encourage you to review this Policy periodically.

    14. Contact

    For questions, concerns, or requests related to this Privacy Policy or your personal data, please contact:

    Vietnam CyStack JSC

    Email: security@cystack.net

    Address: Tan Hong Ha Complex, 317 Truong Chinh, Hanoi, Vietnam

    Phone: (+84) 247 109 9656