Privacy Policy
This Privacy Policy explains how personal data is handled when an organisation uses the CyBehave Heroes platform ("the Platform") provided by CyBehave Ltd ("CyBehave", "we", "us"). It should be read alongside the Terms of Service and the Data Processing Agreement (DPA) that accompanies them, and the Security and Privacy by Design document published in the Trust Centre.
Processing under this Platform is subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Controller and processor roles
CyBehave Heroes is a multi-tenant B2B SaaS platform. Two distinct data-protection roles apply:
- Your organisation is the controller of the personal data of the individuals it onboards to the Platform (Champions, Programme Team members, Security Team members and other named users in your tenant). Your organisation determines the purpose of the processing (running a Security Champion programme), who participates, on what lawful basis those individuals are engaged, and the retention and access decisions within the boundaries that the Platform supports.
- CyBehave acts as a processor of that tenant personal data, processing it only on the documented instructions of your organisation under the DPA.
- CyBehave acts as a controller in its own right for a limited and clearly-bounded set of categories: the customer contract and billing record, platform-wide audit logs maintained for security and abuse detection, authentication and account-security metadata, aggregated and anonymised analytics used to improve the product, and direct communications with the client's nominated primary contact.
Where this Policy uses phrases such as "we process" or "we collect", it refers to processing in whichever of the above roles applies to the data category in question.
2. Who this Policy is addressed to
This Policy is addressed both to data subjects whose personal data is processed on the Platform (typically employees or contractors of a client organisation) and to client organisations carrying out their own privacy due diligence on the Platform.
3. Data we process (as processor on behalf of your organisation)
The following categories are processed on the documented instructions of the client organisation that has onboarded you. The client organisation is the controller; CyBehave is the processor.
- Account data: name, work email address, job title, department, location, organisation name.
- Activity data: login timestamps, task completions, survey responses, badge awards, XP scores, tier progression, login streaks, peer kudos sent and received.
- Profile data: bio, skills, avatar, influence-network mappings (SNA), 360 feedback responses.
- Content data: community posts, risk reports, intervention designs, communication drafts, Nudge AI conversations.
The lawful basis for this processing is determined by the client organisation in its role as controller (typically performance of an employment-related task or legitimate interests in running the programme). CyBehave does not determine that lawful basis on the client's behalf.
4. Data we process (as controller in our own right)
For the following categories CyBehave is the controller and is responsible for the lawful basis and your rights as a data subject:
- Customer contract and billing data: company name, billing contact, VAT number, billing address, payment method reference (Article 6(1)(b) contract performance and Article 6(1)(c) legal obligation for tax, accounting and anti-fraud purposes).
- Authentication and account-security metadata: session tokens, multi-factor authentication state, IP address at sign-in and password reset history (Article 6(1)(f) legitimate interests in operating the Platform securely, and legal obligation where applicable).
- Platform-wide audit and abuse-detection logs: records of authentication events, role changes, billing changes, exports of personal data and platform-administrator actions retained for 24 months (legitimate interests in security and compliance, and legal obligation where applicable).
- Aggregated and anonymised analytics: non-identifying aggregates used to improve the Platform and develop new features (legitimate interests; not personal data once aggregated).
- Direct communications with the client's nominated primary contact: service notices, security advisories, release notes and necessary commercial correspondence (contract performance and legitimate interests; marketing communications are subject to a separate consent or soft-opt-in basis).
5. How data is used
- Service delivery (processor): operating the Platform, managing your account, assigning tasks, tracking progress, generating reports on behalf of your organisation.
- Programme analytics (processor): calculating programme health scores, Security Culture Index, coverage metrics and engagement statistics for Programme Leaders within your organisation.
- Gamification (processor): calculating XP, tiers, streaks, leaderboard rankings and awarding badges within your organisation's programme.
- AI features (processor and controller): generating summaries of programme data and providing in-app guidance and coaching using OpenAI. Personal identifiers (email, phone, surnames in free text where avoidable) are not transmitted. See the AI Policy and the Security and Privacy by Design document for full detail.
- Communications: service emails, security advisories and operational notices (controller); onboarding emails, weekly digests, programme summaries and in-app notifications sent on behalf of your organisation (processor).
- Billing (controller): processing subscription payments via Tide.
- Security and abuse detection (controller): maintaining platform-wide audit logs and detecting misuse or unauthorised access.
6. Data sharing
We share data with the following sub-processors. The current authoritative list, including the country in which each sub-processor operates, the safeguards that apply to any international transfer and the date of any change, is published in the Trust Centre Sub-Processor Register.
- IONOS: hosting provider (United Kingdom).
- Tide: payment processing for subscription billing (UK; Standard Contractual Clauses in place where applicable).
- OpenAI: AI-generated summaries and in-app guidance and coaching. When a user interacts with Nudge chat their typed message is transmitted to OpenAI; aggregated organisation-scoped data (such as technique lookups or coverage counts) is also transmitted as tool-call context, but no champion names are included in those tool results. Email addresses, phone numbers, audit logs, risk descriptions and free-text comments outside the chat input are not transmitted. Transfers are governed by the EU-US Data Privacy Framework and Standard Contractual Clauses where applicable; submitted data is not used to train OpenAI's models.
- CyBehave support team: when a Programme Leader or Programme Team member escalates a flagged Nudge response, the platform notifies the CyBehave support team. The notification includes the organisation name and the escalating role so the case can be routed and actioned; it does not include the original message body, which is reviewed in-app under role-based access controls.
We do not sell, rent, or share your personal data with any other third parties. Within the Platform, your Programme Leader can view your activity data, XP, badges and department as part of programme management; this is processing carried out by the client organisation in its role as controller.
7. Data residency
All Platform data is hosted on IONOS infrastructure in the United Kingdom. Backups are stored in the same region. AI processing involves an international transfer to OpenAI, governed as set out in section 6 above.
8. Data retention
- Active accounts: data retained for the duration of your organisation's subscription.
- Deactivated accounts and organisations: data retained for 90 days in a recoverable state, then automatically and permanently deleted.
- AI usage telemetry: retained for 12 months, then automatically purged.
- Nudge AI conversations: retained for the lifetime of the conversation; users can delete their conversations from the Nudge UI.
- Data deletion requests: processed within 30 days of approval (cooling-off period applies).
- Audit logs: retained for 24 months for compliance and security purposes, then automatically purged.
- Anonymised analytics: retained indefinitely (not personally identifiable).
9. Recovery of deactivated accounts
The Platform supports a role-based recovery model during the 90-day retention window:
- Organisations: a deactivated organisation can be reinstated by a CyBehave Platform Administrator, with all organisation data restored intact.
- Champion accounts: reinstated by a Programme Leader or Programme Team member of that organisation, with progress, XP, badges and history restored intact.
- Security Team and Programme Team accounts: reinstated by a Programme Leader of that organisation.
After 90 days, deactivated accounts and organisations are permanently and irreversibly deleted by automated process. Recovery is not possible after this point.
10. Your rights as a data subject
Under UK GDPR you have the right to: access, rectification, erasure, restriction of processing, data portability, objection to processing based on legitimate interests, and to withdraw any consent you have given. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (the Platform does not make such decisions).
Where CyBehave is the processor, the primary contact for these rights is your organisation as controller; CyBehave will assist under the DPA. Where CyBehave is the controller (section 4), you may contact us directly at privacy@cybehave.com.
In-product self-service supports many of these rights directly: rectification via My Profile; access and portability by emailing privacy@cybehave.com or through your Programme Leader; objection to AI processing by opting out of Nudge from My Profile preferences; and human review of AI output via "Flag this response" on any Nudge reply.
11. Cookies
The Platform uses strictly necessary cookies for authentication and session management only. We do not use tracking, advertising or analytics cookies. No cookie consent is required for strictly necessary cookies under UK GDPR, but we display a notice for transparency. See the Cookie Policy for full detail.
12. Security
We implement appropriate technical and organisational measures including TLS 1.3 encryption in transit, AES-256 field-level encryption for sensitive data, JWT RS256 authentication, multi-factor authentication, role-based access controls, automated security audits, dependency scanning in the deployment pipeline and periodic independent penetration testing. The full set of controls is described in the Security and Privacy by Design document.
13. Personal data breach
In its processor role, CyBehave will notify the client organisation of any personal data breach affecting that organisation's data without undue delay and in any event within seventy-two hours of becoming aware of the breach, in line with Article 33 UK GDPR and the DPA, and will provide the information the controller needs to assess and notify. In its controller role, CyBehave will make any breach notifications that fall on it directly.
14. Children
The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect data from children.
15. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to Programme Leaders. The latest version is always available at /privacy and from the Trust Centre.
16. Contact
For privacy enquiries, data requests or complaints: privacy@cybehave.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. If your organisation is established outside the UK, you may also have the right to lodge a complaint with the supervisory authority in your jurisdiction.
Terms of Service
Version: 1.1 · Last updated: 13 June 2026 · Supersedes: v1.0 (17 May 2026)
Welcome to CyBehave Heroes ("the Platform"), a product of CyBehave Ltd ("CyBehave", "we", "us"). By creating an account and using the Platform, you ("you", "the Customer") agree to the following terms. If you do not agree, do not use the Platform.
1. Acceptance of terms
1.1 By registering for an account, you confirm that you are authorised to act on behalf of your organisation and agree to these Terms and Conditions.
1.2 These terms apply to all users: Programme Leaders, Programme Team members, Security Team members, and Champions.
2. Platform description
2.1 CyBehave Heroes is a multi-tenant SaaS platform for managing organisational Security Champion programmes. The Platform uses behavioural science frameworks (including, but not limited to, the COM-B model and the Behaviour Change Wheel) to support the development of evidence-based security culture.
2.2 Features include, but are not limited to, champion management, task assignment, pulse surveys, behavioural interventions, social network analysis, peer recognition, training courses, reporting, and gamification.
2.3 The Platform is an engagement and culture-development tool. It is not a safety-critical system, a real-time security control, an incident detection or response system, or a system of record on which the operation of your business depends. You acknowledge that the Platform is not critical to the continuity of your organisation's operations and agree not to treat it as such. This characterisation is relevant to the service levels and liability provisions below.
3. Account responsibilities
3.1 You are responsible for maintaining the confidentiality of your login credentials. Multi-factor authentication (MFA) is available and recommended. You must not share your account or allow unauthorised access.
3.2 Programme Leaders are responsible for the accuracy of organisational data and the management of users within their organisation.
4. User roles and permissions
4.1 The Platform operates a role-based access model. Role assignments are managed by Programme Leaders.
4.2 Programme Leaders have administrative control over their organisation's programme, including user management, feature configuration, and data exports.
4.3 Programme Team members assist with programme delivery.
4.4 Security Team members have read access to certain programme data and read/write access to the risk management module.
4.5 Champions participate in programme activities.
5. Data and privacy
5.1 Your use of the Platform is subject to our Privacy Policy, which forms part of these terms.
5.2 The Platform collects and processes personal data necessary for service delivery, including name, email, role, department, activity data, XP scores, badge awards, peer kudos, survey responses, and login timestamps.
5.3 AI-powered features (summaries of programme data and in-app guidance and coaching) use OpenAI services with anonymised data. Full details are in the Privacy Policy and the AI Policy at section 15 below.
5.4 As between the parties, in respect of personal data processed through the Platform on your behalf, you are the controller, and CyBehave is the processor. A data processing addendum setting out the processing particulars is available on request and, where agreed, forms part of these terms.
6. Gamification and recognition
6.1 The Platform includes gamification and recognition features (XP, tiers, badges, streaks, leaderboards, peer kudos, Champion of the Month). You acknowledge that these features measure participation and engagement only. They are not a measure of an individual's job performance, competence, or conduct, and tier promotions are automatic based on XP thresholds rather than any assessment by CyBehave.
6.2 You agree not to use Platform engagement data, whether viewed in the Platform or exported via the Reports page, as a basis for any hiring, promotion, discipline, performance review, pay, or termination decision about any individual. This obligation rests with you as the organisation deploying the Platform and is consistent with your responsibilities under the EU Artificial Intelligence Act (Regulation 2024/1689) and with section 15.6 below. CyBehave reserves the right to suspend access for any organisation found to be in material breach of this clause.
7. Subscription, deactivation and recovery
7.1 New organisations receive a 28-day free trial. After the trial, a paid subscription is required to continue using the Platform.
7.2 Subscriptions are seat-based and billed annually in advance. Cancellation takes effect at the end of the current annual billing period and no pro-rata refund is given for the unexpired part of that period, save as expressly stated in section 13.
7.3 Invoices are payable within 30 days of the invoice date. Subscriptions renew annually unless cancelled before the renewal date. If any undisputed sum is not paid by its due date, we may, without prejudice to our other rights, charge interest at the rate set by the Late Payment of Commercial Debts (Interest) Act 1998 and, after reasonable notice, suspend access until payment is received. Suspension for non-payment does not start the 90-day deactivation and recovery period in section 7.4, and your data is retained during any such suspension.
7.4 When an organisation or individual account is deactivated, the associated data is retained for 90 days in a recoverable state. Within this window: a deactivated organisation is reinstated by a CyBehave Support Administrator; a deactivated Champion account is reinstated by a Programme Leader or Programme Team member; a deactivated Security Team or Programme Team account is reinstated by a Programme Leader.
7.5 After 90 days, deactivated accounts and organisations are permanently and irreversibly deleted. Recovery is not possible after this point.
8. Service levels and support
8.1 The Platform is provided on a commercially reasonable endeavours basis appropriate to a non-critical engagement tool. The service levels in this section are targets, not guarantees, and do not give rise to service credits, refunds, or any right of termination except as expressly stated in section 11.
8.2 Availability. We target an availability of 99.0% measured monthly, excluding the exclusions in section 8.3. We do not commit to 100% availability and you should not rely on the Platform for time-critical activity.
8.3 Excluded downtime. Scheduled maintenance; emergency maintenance; failures of third-party services outside our reasonable control (hosting, identity, email, AI); issues arising from your own systems or misuse; and force majeure events do not count as unavailability.
8.4 Support. Support is provided by email to support@cybehave.com during UK business hours (Monday to Friday, 9am to 5pm UK time, excluding public holidays). We do not operate a 24/7 helpdesk or telephone support line. We aim to acknowledge support requests within one business day.
| Priority | Description | Target response |
|---|
| P1 - Major | Platform broadly unavailable to most users | 1 business day |
| P2 - Significant | A core feature is unavailable; a workaround may exist | 2 business days |
| P3 - Minor | Limited or cosmetic issue; minimal impact on use | 5 business days |
8.5 Backups and recovery. We take regular backups and will use commercially reasonable endeavours to restore from the most recent available backup. We do not guarantee a specific recovery point or recovery time objective. You remain responsible for exporting and retaining your own copies of your data via the Reports page.
9. Content and intellectual property
9.1 All intellectual property rights in the Platform are owned by, or licensed to, CyBehave Ltd, including the CyBehave Technique Library, training content, the behavioural frameworks, scoring models, algorithms, analytical and AI models, underlying research and know-how, and all software, designs, interfaces, text and graphics. No rights are transferred to you; you receive only the right to use the Platform during the Term.
9.2 Certain components may be used by CyBehave under licence from third parties and remain the property of the relevant third party.
9.3 Organisations retain ownership of their own data and may export it at any time via the Reports page.
10. Preview features
10.1 The Platform may offer Private Preview and Public Preview features, provided "as is", which may be modified or removed without notice and carry no service level or availability commitment.
10.2 To the fullest extent permitted by law, we exclude all liability arising from preview features.
11. Acceptable use and suspension
11.1 You must not use the Platform to store or transmit unlawful, harmful, or offensive content, attempt to gain unauthorised access to other organisations' data, or reverse engineer or interfere with the Platform.
11.2 Violation of these terms may result in immediate account suspension.
11.3 You are responsible for all use of the Platform under your account and will indemnify CyBehave against reasonable losses arising from your breach or misuse.
12. Warranties and disclaimers
12.1 The Platform is provided "as is" and "as available". To the fullest extent permitted by law, we exclude all warranties not expressly set out in these terms.
12.2 We do not warrant that the Platform will be uninterrupted, error-free, or free of harmful components, or that it will meet your specific requirements.
13. Limitation of liability
13.1 Nothing in these terms limits liability for death or personal injury caused by negligence, fraud, or any other liability that cannot lawfully be limited.
13.2 Subject to 13.1, we are not liable for indirect, special or consequential loss; loss of profit, revenue, business, contracts or anticipated savings; loss of goodwill; or loss or corruption of data beyond our backup-restoration obligation.
13.3 Subject to 13.1, our total aggregate liability is limited to the total fees actually paid in the 12 months immediately preceding the event giving rise to the claim. This is a single aggregate cap, not a per-claim cap.
13.4 Because billing is annual and in advance, fees counted towards the cap are those referable to the elapsed part of the current annual period plus fees paid for any earlier period within the preceding 12 months. The cap will not be less than one month's equivalent of the annual fee.
14. Term and survival
14.1 These terms apply for as long as you hold an active account or subscription (the "Term").
14.2 Only the following survive termination: accrued rights and unpaid sums; sections 9, 12, 13, 16 and 17; confidentiality for three years; data deletion duties and export rights for the 90-day recovery window; and any obligation that must survive as a matter of law.
14.3 We do not impose post-term audit rights or other continuing obligations beyond those listed in section 14.2.
15. AI Policy
15.1 The Platform's AI Policy is published at /ai-policy and is incorporated into these Terms by reference.
15.2 By enabling AI features for any user in your tenant, you acknowledge you have read the AI Policy and accept the responsibilities below.
15.3 When you enable AI features, your organisation is itself a "deployer" under the EU AI Act, responsible for deciding which roles have AI features enabled, informing your users, ensuring appropriate AI literacy (Article 4), reviewing AI-suggested outputs through human judgement, and communicating data subject rights requests to CyBehave.
15.4 Every AI feature is classified by us as limited risk under Article 50 of the EU AI Act, triggering transparency duties only. None are high-risk under Annex III or prohibited under Article 5.
15.5 The Heroes Platform uses OpenAI only. Data submitted to OpenAI's API is not used to train OpenAI's models. Anthropic appears as a CyBehave group sub-processor in the cybehave.com AI Policy but is used only on the marketing site, not in the Heroes Platform.
15.6 You agree that AI outputs must not be used as the sole or principal basis for hiring, promotion, discipline, performance review, pay, or termination decisions. CyBehave reserves the right to suspend AI features for any organisation found to be in material breach of this clause.
15.7 Hard product boundaries: the Platform will not perform emotion recognition on workers, biometric categorisation, social scoring, training of any model on customer prompts or replies, or disclosure of one customer's data to another customer's AI features.
15.8 User rights are set out in section 11 of the AI Policy. You undertake not to suppress or work around these rights.
15.9 Material changes to the AI Policy will be communicated to Programme Leaders via in-app notification and reflected in the Changelog.
16. General
16.1 Force majeure. Neither party is liable for failure or delay caused by events beyond its reasonable control.
16.2 Changes to terms. We may update these terms; material changes will be communicated to Programme Leaders, and continued use constitutes acceptance.
16.3 Entire agreement and severability. These terms, with the Privacy Policy and AI Policy, are the entire agreement. Unenforceable provisions are modified or severed; the rest continue in force.
17. Governing law
17.1 These terms are governed by the laws of England and Wales.
17.2 Any disputes are subject to the exclusive jurisdiction of the courts of England and Wales.
Cookie Policy
This Cookie Policy explains how CyBehave Heroes uses cookies and similar technologies. It applies to securitychampionsportal.com, heroes.cybehave.com, and any subdomain of cybehave.com on which the Heroes platform is served.
1. What cookies are
Cookies are small text files placed on your device by your browser when you visit a website. They are widely used to make websites work, or work more efficiently, and to provide reporting information to the site owner.
2. Cookies we set
The Heroes platform uses cookies that fall into a single category: strictly necessary. These cookies are essential for the platform to function and cannot be switched off. You can configure your browser to block them, but parts of the platform will then not work.
| Cookie | Purpose | Lifetime |
|---|
| cybehave_heroes_session | Laravel session identifier. Keeps you signed in as you move between pages. | Session, with idle expiry of 120 minutes. |
| XSRF-TOKEN | Cross-site request forgery token. Protects forms and Livewire actions from forged submissions. | Session. |
| jwt_token | Authentication token (RS256 JWT) issued at sign-in. Used by the API layer to verify your identity. | Up to 24 hours, refreshed on activity. |
| cb_trusted_device | Records that this browser has passed multi-factor authentication, so we do not prompt for a code on every sign-in. Set only if you tick "trust this device" at the MFA challenge. | 30 days from last sign-in. |
| laravel_maintenance | Maintenance-mode bypass for platform administrators. Set only when an admin uses the bypass URL. | Cleared when maintenance mode ends. |
3. Cookies we do not set
- We do not set advertising cookies.
- We do not set third-party analytics cookies (Google Analytics, Hotjar, Mixpanel and similar are not loaded).
- We do not set social-network tracking cookies (Facebook Pixel, LinkedIn Insight, X/Twitter and similar are not loaded).
- We do not use cross-site tracking pixels or fingerprinting.
4. Local storage and similar technologies
The platform uses your browser's localStorage for a small number of UI preferences (last-active programme, dismissed onboarding tour state, expanded panel state). These values stay on your device, are never transmitted to our servers, and contain no personal data. Clearing site data in your browser removes them.
5. Why we do not show a cookie banner
UK and EU rules under PECR and the EU ePrivacy Directive require consent for non-essential cookies. Because the Heroes platform sets only strictly necessary cookies, no consent banner is required. If we add any non-essential cookie in future, we will introduce a consent mechanism before it is set and update this policy.
6. Your choices
You can control and delete cookies through your browser. Most browsers let you refuse cookies, delete cookies already set, or be notified before a cookie is set. Detailed instructions for each major browser are at aboutcookies.org. Disabling the cookies listed in section 2 will prevent you from signing in to the Heroes platform.
7. Changes to this policy
We may update this policy from time to time. The current version is always available at /cookies. Material changes will be communicated to Programme Leaders through the in-app changelog.
8. Contact
Questions about cookies or any of our policies: privacy@cybehave.com.
CyBehave Heroes — AI Policy
Last updated: 2 June 2026. Version 1.1 (Section 6 expanded to cover the support-team escalation digest and SNA name redaction; audit retention shortened to 24 months).
This is the AI Policy for the CyBehave Heroes platform (heroes.cybehave.com). It operates under the group-wide CyBehave AI Policy at cybehave.com/ai-policy.php, which sets out CyBehave's principles, sub-processors, EU AI Act risk classification, and UK regulatory alignment. Where the group policy describes the framework, this document describes what that framework means inside the Heroes platform.
This document, the Privacy Policy, and the Terms and Conditions form one set. Where the documents differ on a point of detail, the Terms and Conditions are the contractual instrument.
1. Our six AI principles
- Human-centred — AI supports human decision-making, it does not replace it.
- Privacy-first — AI features never use individual-level surveillance, behavioural profiling of named users, or covert monitoring.
- Proportionate — we use AI only where it offers clear value over simpler alternatives.
- Transparent — we tell you when you are interacting with AI and when content has been AI-assisted.
- Accountable — a named human owner is responsible for every AI feature we deploy.
- Reviewable — AI outputs that affect users are open to challenge, correction, and human review.
2. Where AI is used in CyBehave Heroes
The platform uses OpenAI's gpt-4o-mini model server-side to power:
- Nudge AI Chat — an in-app coaching assistant for all roles.
- Nudge Comms Review — behavioural review and rewrite suggestions on communications drafts.
- Nudge SNA Summary — a daily one-paragraph summary of the Social Network Analysis dashboard.
- Nudge Theme Insights — aggregated theme analysis of Nudge chat topics, surfaced to Programme Leaders.
- Intervention Retrospective Suggestion — a short next-step recommendation when a retrospective is filed.
- Programme Summary — periodic narrative summaries of programme status for Programme Leaders.
Risk score, XP, tier, streak, leaderboard rank, Security Culture Index, Wellbeing Score, SANS Maturity stage and programme coverage are deterministic formulae and are not AI under Article 3(1) of the EU AI Act.
3. Sub-processor scoping
The Heroes platform uses OpenAI only. Anthropic is named as a CyBehave group sub-processor in the cybehave.com AI Policy and is used on the marketing site for content drafting and interactive demonstrations; Anthropic is not used inside the Heroes platform and your organisation's data is not sent to it.
4. EU AI Act risk classification
Unacceptable risk (prohibited, Article 5). We do not deploy any AI system in the prohibited categories, including social scoring, exploitative manipulation, real-time remote biometric identification in public spaces, predictive policing based solely on profiling, emotion recognition in workplaces, and biometric categorisation by sensitive attributes.
High risk (Annex III). None of our AI features fall within the high-risk categories. We keep the platform out of Annex III #4(b) by an explicit product boundary: AI outputs must not be the sole or principal basis for HR decisions. This boundary is contractually binding via the Terms and Conditions.
Limited risk (Article 50 transparency). Every AI feature listed in section 2 is classified as limited risk, triggering transparency duties only, satisfied through a visible AI disclosure on every AI surface, a first-use modal in the Nudge shell, and a per-feature inventory in our internal AI System Card.
General-purpose AI models. We are a deployer of general-purpose AI models supplied by third-party providers; we are not a provider of foundation models.
5. Self-reported sentiment is not affect inference
Champion Check-In, Team Pulse, and 360 Feedback collect self-reported ratings and reflections that the user voluntarily enters. They do not infer emotional state from text, voice, video, biometrics, or behavioural signals, and are therefore not "emotion recognition" under Article 5(1)(f).
6. What we send to OpenAI, and what we send to CyBehave support
To OpenAI (per Nudge interaction): the user's typed message and the last 10 turns; a system prompt containing the user's role label, the organisation name, and the active programme stage; and aggregated, organisation-scoped tool-call results when Nudge looks up techniques, pulse summaries, or coverage.
We do not send email addresses, phone numbers, surnames in free text where avoidable, risks, incidents, audit logs, or any data outside the requesting user's organisation. Champion names are not included in Nudge SNA summaries. Submitted data is not used to train OpenAI's models.
To CyBehave support (only when a user escalates a flagged response): the organisation name and the escalating role, the flag reference and timestamps. The original chat message body is not included in the digest and is reviewed in-app under role-based access controls.
7. Retention
- AI usage telemetry: retained for 12 months, then automatically purged.
- Nudge message bodies: redacted in place after 30 days, leaving only token counts and feedback ratings for analytics.
- Nudge conversations: retained for the lifetime of the conversation; users can delete them from the Nudge UI at any time.
- Audit log entries for AI incidents: retained for 24 months, then automatically purged.
8. What CyBehave (the provider) is responsible for
- Maintaining this AI Policy and the internal AI System Card, reviewed at least every 6 months.
- Implementing Article 50 transparency on every AI surface.
- Operating prompt-injection guardrails, output guardrails and rate limits on every AI feature.
- Minimising data sent to OpenAI, logging AI usage and retaining telemetry as described above.
- Honouring per-user opt-out and "Flag this response" requests.
- Maintaining an internal AI literacy programme (Article 4).
- Notifying affected customers within 72 hours of any serious AI incident.
9. What the customer (deployer) is responsible for
- Choosing whether to enable Nudge AI for each role.
- Telling its own users that AI features are in use.
- Ensuring AI literacy among its programme staff (Article 4).
- Not using AI outputs as the sole or principal basis for HR decisions.
- Reviewing leaderboard rankings, 360 feedback summaries and Champion of the Month outcomes through human judgement before acting.
- Reviewing flagged Nudge responses regularly via the Nudge admin panel.
- Communicating data subject rights requests to CyBehave where Platform action is needed.
10. Hard product boundaries
These practices are prohibited across the Heroes platform regardless of customer or user request, and no configuration can lift them: AI outputs as the sole or principal basis for HR decisions; individual-level behavioural surveillance, profiling or scoring of named employees; covert monitoring of staff; emotion recognition or affect inference in workplace or educational contexts; biometric categorisation by sensitive attributes; sharing of customer or user data with AI providers to train their models; generation of deceptive synthetic content (deepfakes) of real individuals; use of AI outputs to make final, automated decisions about a person without human review; disclosure of one customer's data to another customer's AI features; and any deployment that would fall under Article 5 of the EU AI Act.
11. Your rights
- Be informed when interacting with an AI system. Every AI surface carries a visible AI disclosure.
- Opt out of the Nudge AI assistant for yourself, from My Profile preferences.
- Flag a response you believe is inaccurate, harmful, or off-policy. Flagged responses are routed to your Programme Lead for human review.
- Request human review of any decision you feel was influenced by an AI feature.
- Access, correct, erase, restrict, port or object to processing of your personal data via privacy@cybehave.com.
12. UK regulatory alignment
For Heroes we align with UK GDPR and the Data Protection Act 2018 (enforced by the ICO), the five cross-sectoral AI principles in the 2023 government white paper, the Equality Act 2010, NCSC guidance on the secure development and deployment of AI systems, and ICO guidance on automated decision-making and the right to human review. Where EU AI Act standards are stricter than UK requirements, we apply the EU standard as our baseline.
13. Incident response
CyBehave will notify affected customer organisations within 72 hours of confirming a serious AI incident, defined as confirmed disclosure of personal data via an AI feature, a confirmed cross-tenant data leak, a confirmed jailbreak that produced policy-violating content visible to a user, or a regulatory notice received by CyBehave Ltd.
14. Changes to this policy
Material changes are communicated to Programme Leaders via in-app notification and surfaced in the Changelog. The current version is always available at /ai-policy.
15. Contact
AI policy and AI feature queries: ai@cybehave.com. Privacy queries: privacy@cybehave.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Security and Privacy by Design
This document forms an integral part of the Data Processing Agreement (DPA) between CyBehave Ltd and the client organisation (the "Controller"). It is the schedule of technical and organisational measures referenced in Section 5 and Schedule 1.G of the DPA, and the measures described here are the measures CyBehave maintains under Article 32 UK GDPR in its processor role.
It is also published as a standalone document so that prospective customers and data subjects can review the platform's security and privacy posture before signing the Terms of Service, and so the Controller can use it to support its own DPIA, supplier review and information-security questionnaires.
1. Status and relationship to other Trust Centre documents
The Terms of Service is the master contract, incorporating the Privacy Policy, AI Policy, Cookie Policy and DPA by reference. The DPA is the Article 28 processor agreement. This document is the schedule of technical and organisational measures referenced by the DPA. The Sub-Processor Register is the live appendix referenced by Section 6 and Schedule 1.F of the DPA. Where these documents differ on contractual detail, the Terms of Service prevail; where they differ on the processing of tenant personal data, the DPA prevails.
2. Scope
CyBehave Heroes is a multi-tenant SaaS platform for managing organisational Security Champion programmes, operated by CyBehave Ltd. The controls described in this document apply to the production service.
3. Controller and processor roles
The Controller is the controller of the personal data of the individuals it onboards. CyBehave acts as a processor in respect of that tenant personal data, processing it only on documented instructions under the DPA. CyBehave acts as a controller in its own right for a limited set of categories (contract and billing record, platform-wide audit logs, authentication and account-security metadata, aggregated and anonymised analytics, and direct communications with the Controller's nominated primary contact), which fall outside the DPA and are governed by the Privacy Policy.
4. Privacy by Design principles
The platform is designed against the seven foundational principles set out by the ICO for Privacy by Design: proactive not reactive; privacy as the default; privacy embedded into design; full functionality (positive-sum, with k-anonymity thresholds on team-level reporting); end-to-end lifecycle protection; visibility and transparency; and respect for user privacy.
5. Data minimisation
- Account data is limited to name, work email, job title, department, location and organisation name.
- Free-text fields are bounded in length and content-moderated where appropriate.
- Special category personal data (Article 9 UK GDPR) is not collected.
- The platform does not collect or store payment-card data; billing is handled by the payments sub-processor, and CyBehave receives only a tokenised reference and the last four digits.
- The platform does not collect device-fingerprinting data, location beyond the user-supplied field, advertising identifiers or browsing history beyond the platform itself.
6. Tenant isolation and access control
- Every personal-data record is scoped to an organisation id; application-level guards reject cross-tenant queries.
- Authorisation follows a role-based access control model with four primary roles and a separate, segregated Platform Administrator role used only by CyBehave operations staff.
- Cross-tenant access by Platform Administrators is logged to an immutable audit trail.
- Champions can only see their own personal data and team-level aggregates that meet the k-anonymity threshold for the Team Pulse feature.
7. Authentication and account security
- Authentication uses JSON Web Tokens signed with RS256 (asymmetric, 2048-bit), issued at sign-in and refreshed on activity.
- MFA is mandatory on every sign-in for all privileged roles, which cannot use the "trust this device" grace period.
- MFA is available to Champions and can be enforced organisation-wide; Champions may opt in to a 30-day "trust this device" grace period.
- Password policy enforces minimum length and complexity, blocks compromised passwords, and rate-limits authentication attempts.
- Email and phone number are encrypted at rest using AES-256 with a deterministic HMAC blind index for lookups.
- Sessions expire on idle and on explicit sign-out.
8. Encryption
- In transit: all customer traffic is served over TLS 1.3 with modern cipher suites; HTTP is redirected to HTTPS.
- At rest: the production database is encrypted at the storage layer; sensitive fields (email, phone) are additionally encrypted at the application layer with per-field AES-256.
- Backups: encrypted at rest in the same UK region as the production database.
- Secrets management: application secrets are held outside the source repository and the public web root, scoped to the production runtime account.
9. Application security controls
- All input is validated server-side; parameter binding and the ORM prevent SQL injection.
- Output encoding and a strict Content Security Policy with per-request nonces prevent cross-site scripting.
- CSRF tokens protect all state-changing requests.
- A web application firewall sits in front of the platform, tuned to the Heroes surface.
- Dependency auditing runs in the deployment pipeline; critical vulnerabilities block release.
- The platform exposes no public administrative endpoint.
10. Logging, monitoring and accountability
- Authentication events, role changes, billing changes, exports of personal data and platform-administrator actions are written to an immutable audit log retained for 24 months.
- Application errors are recorded with sensitive data masked.
- Controllers can view tenant-scoped activity through in-app audit features without requiring a support ticket.
11. Data residency and sub-processors
All customer data is stored and processed in the United Kingdom. The current list of sub-processors, their country of operation, and the safeguards that apply to any international transfer is published in the Trust Centre Sub-Processor Register.
12. AI safeguards
- AI processing is opt-in at the organisation level; individual users can opt out from their profile.
- Personal identifiers are stripped or not transmitted to the AI provider.
- The system prompt enforces tenant scoping and explicit refusal rules for jailbreak attempts, persona switching, off-topic requests and cross-tenant data.
- Input guardrails include an injection-pattern blocklist, message length limits and rate limiting.
- The AI provider's data-processing terms include a commitment that submitted data is not used to train provider models.
- Every AI response includes a "flag for human review" control routed to the user's Programme Lead.
- AI usage is logged tenant-by-tenant and capped against a contractual token budget.
13. Retention and deletion
Personal data is retained for the duration of the Controller's subscription and within the Privacy Policy retention windows. Deactivated accounts and organisations enter a ninety-day recoverable window and are then permanently and irreversibly deleted. Erasure requests are processed within thirty days of approval, subject to the cooling-off period. Backups age out on a defined schedule.
14. Data subject rights support
The platform supports access and portability (in-app export or via the privacy address), rectification (user-editable profile fields), erasure (on request, subject to lawful-basis carve-outs), and objection/restriction (optional processing such as AI coaching can be turned off without losing core access).
15. Resilience and recovery
The platform is hosted in a single UK region with an automated daily backup and frequent transactional log shipping, supporting point-in-time recovery. Deployments are atomic and reversible, supporting same-day rollback. Recovery time and recovery point objectives are defined in the contract Service Level Schedule.
16. Security testing
Static analysis runs as part of the deployment pipeline; high-severity issues block release. Dependency vulnerabilities are reviewed before every release and out-of-band when a critical advisory is published. Targeted application-security review is performed on every significant feature.
17. Incident response
CyBehave maintains an incident response process covering detection, triage, containment, eradication, recovery and post-incident review. Personal data breach notification follows Section 8 of the DPA: CyBehave notifies the Controller without undue delay and within seventy-two hours of becoming aware. In its processor role, CyBehave does not transfer the obligation to notify supervisory authorities or data subjects; that remains with the Controller, and CyBehave provides the information needed to do so.
18. Standards alignment
Controls are designed in line with the UK GDPR, the Data Protection Act 2018, the NCSC Cloud Security Principles and the OWASP Application Security Verification Standard. Formal certifications, where held or in progress, are listed in the Trust Centre as they are issued.
19. Contact
Privacy enquiries, data requests, supplier review and DPIA support: privacy@cybehave.com. Security enquiries (vulnerability disclosure, incident notifications, security questionnaires): support@cybehave.com.
Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the Terms of Service between CyBehave Ltd ("CyBehave", the "Processor") and the client organisation that has subscribed to the CyBehave Heroes platform (the "Controller"). It governs the processing of personal data carried out by CyBehave on the Controller's behalf in connection with the Platform.
This DPA reflects Article 28 of the UK GDPR and the Data Protection Act 2018, and should be read alongside the Privacy Policy and the Security and Privacy by Design document.
1. Definitions
- Applicable Data Protection Law means the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 and any other applicable data-protection legislation.
- Controller, Processor, Data Subject, Personal Data, Processing, Personal Data Breach and Sub-Processor have the meanings given in Applicable Data Protection Law.
- Platform means the CyBehave Heroes hosted service.
- Tenant Personal Data means Personal Data processed by CyBehave on the Controller's behalf as described in Schedule 1.
- Standard Contractual Clauses means the UK International Data Transfer Addendum and the European Commission's Standard Contractual Clauses, as applicable.
2. Roles of the parties
In respect of Tenant Personal Data, the Controller is the controller and CyBehave is the processor. CyBehave is a controller in its own right for the categories described in section 4 of the Privacy Policy, which fall outside this DPA and are governed by the Privacy Policy.
3. Processing on documented instructions
CyBehave shall process Tenant Personal Data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do otherwise by UK or EU law. The Controller's documented instructions are those in the Terms of Service, this DPA, Schedule 1, and any other instructions agreed in writing. The Controller's configuration of the Platform also constitutes a documented instruction. CyBehave shall immediately inform the Controller if, in its opinion, an instruction infringes Applicable Data Protection Law.
4. Confidentiality
CyBehave shall ensure that personnel authorised to process Tenant Personal Data have committed themselves to confidentiality. Access is granted on a need-to-know basis and is logged.
5. Security of processing
CyBehave shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR. The current set of measures is described in the Security and Privacy by Design document, including encryption in transit and at rest, tenant isolation, role-based access control, multi-factor authentication, immutable audit logging, dependency scanning, and a documented incident response process. CyBehave may update the measures provided any update does not materially reduce protection.
6. Sub-processors
The Controller authorises CyBehave to engage the sub-processors listed in the Sub-Processor Register as at the effective date, and grants general authorisation for additional or replacement sub-processors subject to the procedure in this section. CyBehave shall notify the Controller at least thirty days before a change takes effect, through the Register and to the nominated primary contact. The Controller may object on reasonable grounds during that period; if unresolved, the Controller may terminate the affected portion of the Platform for cause. CyBehave imposes obligations on each sub-processor no less protective than this DPA and remains fully liable for sub-processor performance.
7. Assistance with data subject rights
Taking into account the nature of the processing, CyBehave shall assist the Controller by appropriate technical and organisational measures in fulfilling its obligation to respond to data subject rights requests. Where a Data Subject contacts CyBehave directly, CyBehave forwards the request to the Controller without undue delay and does not respond itself unless instructed or required by law. The Platform provides in-product self-service for many rights.
8. Personal Data Breach notification
CyBehave shall notify the Controller without undue delay and within seventy-two hours of becoming aware of a Personal Data Breach affecting Tenant Personal Data. The notification will include, to the extent known, the nature of the breach, likely consequences, measures taken or proposed, and the CyBehave security contact. In its processor role, CyBehave does not itself notify the ICO or affected Data Subjects; that obligation remains with the Controller, with reasonable assistance from CyBehave.
9. Data protection impact assessment and prior consultation
CyBehave shall provide reasonable assistance with DPIAs under Article 35 and prior consultation under Article 36 where necessary and relating to processing under this DPA. The Security and Privacy by Design document and the Sub-Processor Register are made available for this purpose, and a completed supplier security questionnaire is available on request.
10. Return and deletion of Tenant Personal Data
On termination of the Terms of Service, CyBehave shall, at the Controller's choice, return or delete all Tenant Personal Data, save where storage is required by law. The Platform supports a ninety-day recoverable window for deactivated organisations; at the end of that window, data is permanently and irreversibly deleted. The Controller may request an export at any time during the subscription. After permanent deletion, recovery is not possible.
11. Audits and information
CyBehave shall make available all information necessary to demonstrate compliance with Article 28 UK GDPR and this DPA. CyBehave will contribute to a Controller's audit on at least thirty days' written notice, no more than once in any twelve-month period (except after a confirmed breach), during normal business hours, without disrupting the Platform or compromising other customers' security, and at the Controller's cost. CyBehave may decline access to information that would compromise other customers' security or is subject to legal privilege.
12. International transfers
Tenant Personal Data is hosted in the United Kingdom. Where a sub-processor is located outside the UK, CyBehave shall ensure an appropriate Article 46 safeguard is in place, including the UK International Data Transfer Addendum or the European Commission's Standard Contractual Clauses, together with any required supplementary measures.
13. Liability
The liability of each party under this DPA is subject to the liability provisions in the Terms of Service.
14. Term and termination
This DPA takes effect when the Controller accepts the Terms of Service and remains in force for as long as CyBehave processes Tenant Personal Data on the Controller's behalf. Termination of the Terms of Service automatically terminates this DPA, subject to surviving obligations relating to return and deletion of data, confidentiality and audit.
15. Conflict and variation
In the event of conflict between the Terms of Service and this DPA in relation to the processing of Tenant Personal Data, this DPA prevails. CyBehave may update this DPA provided any update does not materially reduce protection; material updates are communicated to the nominated primary contact at least thirty days before they take effect.
16. Governing law and jurisdiction
This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction.
17. Contact
Data protection enquiries, audit and DPIA support: privacy@cybehave.com. Security enquiries, vulnerability disclosure, breach notifications and security questionnaires: security@cybehave.com.
Schedule 1: Description of processing
A. Subject matter. The processing of Tenant Personal Data by CyBehave as processor on behalf of the Controller in connection with the operation of the CyBehave Heroes platform for the Controller's Security Champion programme.
B. Duration. For the duration of the Controller's subscription, plus the ninety-day recoverable window following deactivation, after which Tenant Personal Data is permanently and irreversibly deleted.
C. Nature and purpose. Hosting, storing, organising, structuring, retrieving, consulting, transmitting, disseminating within the Controller's tenant, restricting, erasing and destroying Tenant Personal Data for the purpose of running the Controller's Security Champion programme, including account management, programme task tracking, gamification, 360 feedback, social network analysis, survey and Team Pulse administration, community posts, risk reporting, intervention design, programme communications and AI-assisted coaching where enabled.
D. Categories of personal data. Account data (name, work email, job title, department, location, organisation name); activity data (login timestamps, task completions, survey responses, badge awards, XP scores, tier progression, login streaks, peer kudos); profile data (bio, skills, avatar, influence-network mappings, 360 feedback responses); content data (community posts, risk reports, intervention designs, communication drafts, Nudge AI conversations); technical data (IP address at sign-in, session tokens, MFA state). The Platform does not collect special category personal data, payment card data, advertising identifiers or device fingerprints.
E. Categories of data subjects. Champions and other named users, Programme Team members, Security Team members and Programme Leaders, typically employees, contractors or other authorised personnel of the Controller.
F. Sub-processors. As set out in the Sub-Processor Register, and as updated from time to time in accordance with section 6.
G. Security measures. As described in the Security and Privacy by Design document, including encryption in transit and at rest, tenant isolation, role-based access control, multi-factor authentication, immutable audit logging, automated retention enforcement, dependency scanning and a documented incident response process.
Sub-Processor Register
The following third-party data processors support the delivery of the CyBehave Heroes platform.
Active sub-processors
| Sub-processor | Purpose | Location | Data categories | Contract |
|---|
| ActiveCampaign LLC (Postmark) | Transactional email delivery (invitations, MFA codes, password resets, billing notices, programme broadcasts) | USA (EU SCCs in place) | recipient_email, email_subject, email_body, bounce_events | May 2026 |
| GitHub Inc. | Source-code hosting and CI/CD | USA | no_customer_data | Sep 2024 |
| IONOS SE | Cloud hosting platform for the website and application platform | United Kingdom | all_application_data | Sep 2024 |
| OpenAI, OpCo LLC | AI coaching assistant (Nudge) - chat completion only, no training | USA | chat_messages, org_name, user_role | Sep 2025 |
| Tide Platform Ltd. | Business banking and payment processing for subscription invoices | United Kingdom | billing_contact, payment_reference, invoice_history | Apr 2026 |
The Sub-Processor Register is the live appendix referenced by Section 6 and Schedule 1.F of the DPA. CyBehave notifies the Controller of any intended addition or replacement of a sub-processor at least thirty days before the change takes effect.
DPIA Summary: AI Features
This is a public summary of the Data Protection Impact Assessment (DPIA) that CyBehave maintains for the AI features in the CyBehave Heroes platform. It is provided to support customer due diligence, supplier review and DPIA work by controllers. Operational and security-sensitive detail has been omitted; the full assessment is available to customers under NDA on request.
1. Why we carried out a DPIA
We carried out a DPIA because the AI features process personal data of identifiable workplace users, generate written suggestions that can influence engagement and intervention decisions, transmit a minimised set of data to a sub-processor outside the UK and EEA, and use generative AI, a relatively new technology. Conducting a DPIA is consistent with UK GDPR Article 35 and with our transparency duties under Article 50 of the EU AI Act.
We do not classify these features as high risk under the EU AI Act. There is no biometric identification, no emotion recognition, no social scoring and no automated employment decision-making. Our Terms of Service explicitly prohibit using AI outputs as the sole or principal basis for hiring, promotion, discipline, pay or termination decisions.
2. Roles
The customer organisation is the controller for the personal data of the individuals it onboards. CyBehave Ltd is the processor operating the Platform. OpenAI acts as a sub-processor providing the underlying AI model. Full detail of these roles is set out in the Privacy Policy and the Data Processing Agreement.
3. Processing in scope
The DPIA covers the AI features described in the AI Policy: Nudge AI chat, communications review, social network analysis (SNA) summary, theme insights, intervention retrospective suggestion, and programme summaries. Each feature calls a third-party AI model over an encrypted connection and returns text to authenticated users within a single customer tenant.
4. Lawful basis
Nudge AI chat is provided as part of the contracted service (Article 6(1)(b)). The analytical features (communications review, SNA summary, theme insights, retrospective suggestion and programme summary) rely on legitimate interests (Article 6(1)(f)), balanced against the data minimisation we apply. Our legitimate interests assessment concludes that the impact on individuals is low because direct identifiers are not transmitted, AI outputs are advisory rather than determinative, and a per-user opt-out is available. No special category data is intentionally processed, and the Platform is a workforce product not directed at children.
5. Data minimisation
Several layers of minimisation are applied before any data leaves our environment:
- Direct identifiers - names, email addresses, phone numbers and similar - are excluded from what is sent to the AI model. Only a role label (for example "Programme Leader") and, for grounding in chat, the organisation name are included.
- Analytical features send aggregated figures such as counts, scores and deltas rather than individual records, and network-analysis summaries have personal names stripped before transmission.
- Data returned from internal lookups is filtered to remove sensitive fields before it re-enters the model context.
- AI replies are scanned and any email-like or phone-like patterns are redacted before the response is shown.
- Input and output length limits and a bounded conversation window cap how much text is processed.
6. Categories of personal data
The data involved is limited to: a role label; the organisation name (chat only); free-text the user chooses to type; and aggregated behavioural and engagement metrics. Direct identifiers and special category data are not sent to the AI model. The Platform does not process children's data.
7. International transfer
AI model inference involves a transfer to OpenAI in the United States. Transfers are governed by the EU-US Data Privacy Framework where applicable, with Standard Contractual Clauses as a fallback, and the UK International Data Transfer Addendum for UK exporters. Our transfer impact assessment concludes the transfer is lawful and the residual risk acceptable, on the basis that no direct identifiers and no special category data are transferred, the payload is minimised, data is encrypted in transit, and submitted data is not used to train the provider's models.
8. Key risks and how we address them
The DPIA assesses a set of risks to individuals and the controls that reduce them. In summary:
- A personal identifier reaching the AI provider in a prompt - addressed by the identifier exclusions, internal-data filtering and name-stripping described above, supported by automated tests. Residual risk: low.
- The model fabricating a statement about a named individual - addressed by sending only a role label rather than a name, system instructions that forbid personal judgements, and a "flag this response" route to a human reviewer. Residual risk: medium-low.
- Prompt-injection attempts to extract system or other-tenant data - addressed by input filtering, strict per-tenant scoping of every lookup, output marker-stripping and guardrail logging. Residual risk: low.
- Cross-tenant data leakage - addressed by mandatory organisation-level scoping, per-tenant cache separation, code review and integration testing. Residual risk: low.
- Individuals not being aware AI is in use - addressed by a first-use disclosure, a visible AI indicator on AI-generated text, and re-prompting when the AI Policy version changes. Residual risk: low.
- International transfer safeguards - addressed as set out in section 7. Residual risk: medium-low.
- Retention beyond what is necessary - addressed by automated retention enforcement (see section 9). Residual risk: low.
- Exercising data subject rights against AI-generated data - addressed by in-app visibility of a user's own conversations, deletion on request and account-deletion workflows. Residual risk: low to medium, with ongoing work to further automate erasure.
- AI output used as the sole basis for an employment decision - prohibited contractually, reinforced in programme-leader guidance and by in-product disclaimers. Residual risk: low.
- Vendor policy change reintroducing risk - addressed by periodic review of the provider's terms and sub-processor status, and the ability to change provider. Residual risk: medium-low.
9. Retention
AI usage telemetry is retained for 12 months and then automatically purged. Nudge conversation content is kept for the life of the conversation, can be deleted by the user from the Nudge interface, and is removed under the 90-day deactivation window described in the Privacy Policy. Short-lived caches expire automatically. Backups follow the platform-wide backup schedule.
10. Data subject rights
The rights mechanism described in the Privacy Policy covers AI processing. Users can access their own AI conversation history, delete their Nudge conversations in-app, object to AI processing through a per-user opt-out in their profile, and request human review of any AI output using "Flag this response".
11. Outcome
After mitigations, the residual risk to individuals is assessed as low to medium-low across the assessment. AI outputs in CyBehave Heroes are advisory, scoped to a single tenant, do not drive automated decisions about individuals, and are subject to human override through per-user opt-out, response flagging and the contractual prohibition on HR use. Processing may proceed, and prior consultation with the supervisory authority is not required. The DPIA is reviewed at least annually and whenever an AI feature materially changes.
12. Contact
DPIA, supplier review and due-diligence requests: privacy@cybehave.com. AI feature queries: ai@cybehave.com.
Privacy Policy
Who we are
CyBehave is a behavioural cybersecurity research organisation and SaaS platform provider registered in England and Wales. Contact: privacy@cybehave.com.
Data we collect
Information you provide directly
- Name and email address when registering for Heroes or subscribing to updates.
- Organisation name and job title when signing up or completing assessments.
- Content submitted through contact forms or surveys.
- Payment information - processed by our payment provider, not stored by CyBehave.
Information collected automatically
- IP address and browser information for security and analytics.
- Pages visited and navigation patterns through our own analytics system.
- Session information to maintain your logged-in state.
How we use your data
- To provide and maintain access to CyBehave Heroes and associated tools.
- To send service communications relevant to your account.
- To send research updates where you have opted in.
- To improve our products through aggregated, anonymised usage analysis.
- To comply with legal and regulatory obligations.
Legal basis for processing
We process personal data under the following legal bases under UK GDPR:
- Contract - processing necessary to provide the services you have signed up for.
- Legitimate interests - improving our products, security monitoring, and fraud prevention.
- Consent - marketing communications and optional cookies.
- Legal obligation - where required by law.
Data sharing
We do not sell your personal data. We share data only with service providers under data processing agreements and with law enforcement where legally required. All data is stored on UK-based infrastructure.
Retention
Platform account data is retained for the duration of your account and for 90 days following deletion. Contact form submissions are retained for 12 months. Financial records are retained for 7 years in accordance with legal requirements.
Your rights
Under UK GDPR you have the right to: access your personal data; correct inaccurate data; request erasure; restrict or object to processing; data portability; and to withdraw consent. Contact privacy@cybehave.com to exercise any right. You may also complain to the Information Commissioner's Office (ICO).
Cookies
We use strictly necessary cookies for session management. Optional analytics cookies are only set with your consent. See our Cookie Policy for full details.
Contact us
Privacy queries: privacy@cybehave.com. General enquiries: see the Contact page on cybehave.com.
Cookie Policy
What are cookies
Cookies are small text files placed on your device when you visit a website. They allow the site to remember your preferences and understand how you use it.
Strictly necessary cookies
These cookies are essential for the platform to function. They are set in response to your actions such as logging in or filling in a form and cannot be disabled.
| Cookie | Purpose | Expires |
|---|
| cybehave_session | Maintains your logged-in session | Session |
| cb_admin | Admin authentication token | Session |
Analytics cookies
We use our own analytics system - aggregate and anonymised, not shared with third parties. Only set with your consent.
| Cookie | Purpose | Expires |
|---|
| cb_visitor | Anonymous visitor tracking for our own analytics | 30 days |
Managing cookies
You can control and delete cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in to Heroes. Browser guides are available for Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge.
Contact
Questions: privacy@cybehave.com.
AI Policy
Who we are
CyBehave is a behavioural cybersecurity research organisation and SaaS platform provider registered in England and Wales. This AI Policy describes how we use, govern, and disclose artificial intelligence (AI) across our properties, namely the CyBehave marketing site (cybehave.com) and the CyBehave Heroes platform (heroes.cybehave.com).
This policy sits alongside our Privacy Policy and Cookie Policy. Where AI processing involves personal data, both this policy and our Privacy Policy apply. Contact: ai@cybehave.com.
Our AI principles
We treat AI the way we treat the rest of our work: behaviourally informed, evidence-based, and privacy-first. Our commitments are:
- Human-centred - AI supports human decision-making, it does not replace it.
- Privacy-first - AI features never use individual-level surveillance, behavioural profiling of named users, or covert monitoring.
- Proportionate - we use AI only where it offers clear value over simpler alternatives.
- Transparent - we tell you when you are interacting with AI and when content has been AI-assisted.
- Accountable - a named human owner is responsible for every AI feature we deploy.
- Reviewable - AI outputs that affect users are open to challenge, correction, and human review.
How we use AI
Our use of AI is deliberately limited and disclosed at the point of use. The categories below describe current and near-term planned uses.
On the marketing site (cybehave.com)
- Content drafting and editing - some articles, insights, and resource materials are drafted with AI assistance and reviewed, edited, and approved by a human author before publication. Authorship and editorial responsibility remain with CyBehave.
- Search and discovery - we may use AI to suggest related articles or insights based on the page you are reading. These suggestions are generated from public site content, not from your personal data.
- Interactive demonstrations - selected pages may include AI-powered demonstrations of our research or platform capabilities. Where these are present, they are clearly labelled and use only the inputs you provide in the demo itself.
On the CyBehave Heroes platform
- Maturity assessment scoring - statistical scoring of anonymous, aggregated assessment responses. This is rule-based analysis rather than a generative AI model.
- Recommendation generation - the Intervention Designer module may use AI to suggest behavioural interventions based on aggregated, anonymised maturity scores. Recommendations are advisory and require human selection and approval before deployment.
- Network analysis - Social Network Analysis features in the Champions module use deterministic graph algorithms, not machine learning, to identify influence patterns from anonymised relationship data.
- Drafting assistance - administrators may use AI-assisted drafting tools within the platform to write nudges, communications, or campaign content. All output is editable and requires human approval before sending.
We do not use AI to make automated decisions that produce legal or similarly significant effects on individuals. We do not use AI for individual-level behavioural prediction, employee scoring, or covert assessment of named users.
Third-party AI services
Where we use AI, we rely on established providers under contractual data processing agreements. Our current AI sub-processors are:
- OpenAI - used for AI enablement features within the CyBehave Heroes platform, such as generating behavioural nudges, drafting communications, and producing recommendation text within administrator workflows.
- Anthropic - used to support content development and interactive demonstrations on the CyBehave marketing site (cybehave.com), including AI-assisted drafting and editorial review of articles, insights, and resource materials.
Both providers operate under terms that, by default, exclude API inputs from being used to train their underlying models. We select providers based on stated data handling commitments (including no use of API inputs for model training by default), hosting location and data transfer safeguards appropriate to UK GDPR, published safety and acceptable use policies that align with our own values, and operational reliability and security posture.
If we add or change AI sub-processors in future, this section will be updated and the "last updated" date amended. Material changes will also be communicated to registered Heroes users.
EU AI Act risk classification
Regulation (EU) 2024/1689 (the EU AI Act) classifies AI systems by risk. We have assessed our AI uses against the Act and conclude that our current and near-term uses fall within the lower-risk categories.
Unacceptable risk (prohibited)
We do not deploy any AI system in the prohibited categories under Article 5 of the Act. This includes social scoring, exploitative manipulation, untargeted scraping of facial images, real-time remote biometric identification in public spaces, predictive policing based solely on profiling, emotion recognition in workplaces or educational institutions, and biometric categorisation by sensitive attributes.
High risk (Annex III)
None of our current AI uses fall within the high-risk categories listed in Annex III of the Act. We do not deploy AI for employment decisions, access to essential services, law enforcement, education or training assessment of natural persons, or critical infrastructure operation. Our maturity assessment scoring evaluates organisational culture in aggregate, not individual employees.
Limited risk (transparency obligations)
Some of our features fall within the limited-risk category and trigger transparency obligations under Article 50 of the Act. Specifically: AI-assisted content is identified where reasonable; AI-powered demonstrations and chat-style features disclose that you are interacting with an AI system; and synthetic or substantially AI-generated images, audio, or video are labelled as such.
Minimal risk
The majority of our AI uses fall into the minimal-risk category, for which the Act imposes no specific obligations beyond voluntary codes of conduct. We nevertheless apply our internal AI principles to these uses.
General-purpose AI models
We are a deployer of general-purpose AI models supplied by third-party providers; we are not a provider of foundation models. Our providers are responsible for compliance with the obligations applicable to GPAI model providers under Articles 51 to 55 of the Act.
UK regulatory alignment
The United Kingdom does not currently have a single statutory equivalent to the EU AI Act. Instead, the UK applies a sectoral, pro-innovation framework set out in the 2023 government white paper, with existing regulators applying their remits to AI use within their sectors. Where we operate in the UK, we align our AI practices with:
- UK GDPR and the Data Protection Act 2018 - enforced by the Information Commissioner's Office (ICO), including its published guidance on AI and data protection.
- The five cross-sectoral AI principles - safety, security and robustness; appropriate transparency and explainability; fairness; accountability and governance; contestability and redress.
- The Equality Act 2010 - to avoid AI-driven outcomes that produce unlawful discrimination.
- NCSC guidance on the secure development and deployment of AI systems.
- ICO guidance on automated decision-making, AI risk assessments, and the right to human review.
Where the UK introduces statutory AI legislation in future, we will reassess this policy and update it accordingly. Where EU AI Act standards are stricter than UK requirements, we apply the EU standard as our baseline.
Transparency and human oversight
We design AI features so that you can tell when AI is involved and so that a human remains in control of consequential decisions.
- Disclosure at point of use - AI-powered features carry visible labels and a brief explanation of what the AI does.
- Editable output - AI-generated suggestions, drafts, and recommendations are editable by the human user before any action is taken.
- Human approval before action - no AI-generated content is published, sent, or applied to your organisation without explicit human approval.
- Explainability - we will explain, on request, the general method by which an AI feature produced an output, including the model used and the inputs considered.
- Logging - significant AI interactions are logged for audit and review purposes, in line with our Privacy Policy.
Practices we will not engage in
The following uses are prohibited across all CyBehave properties, regardless of customer or user request:
- Individual-level behavioural surveillance, profiling, or scoring of named employees.
- Use of AI for covert monitoring of staff communications, productivity, or sentiment.
- Emotion recognition or affect inference in workplace or educational contexts.
- Biometric categorisation by race, religion, political opinion, sexual orientation, or other sensitive attributes.
- Sharing of customer or user data with AI providers for the purpose of training their models.
- Use of AI outputs to make final, automated decisions about a person without human review.
- Generation of deceptive synthetic content (deepfakes) of real individuals.
- Any deployment that would fall under Article 5 of the EU AI Act as a prohibited practice.
Your data and AI
By default, content you submit to AI-powered features on our properties is not used to train third-party AI models. We rely on AI provider configurations and contractual terms that exclude API inputs from model training.
Where AI features process personal data, we apply the same legal bases, retention rules, and security controls described in our Privacy Policy. We minimise the personal data sent to AI providers and, where feasible, send only anonymised, aggregated, or synthetic inputs.
We do not train our own foundation models on customer or user data. Where we develop AI features in-house, training and tuning use synthetic data, public datasets, or data we have explicit rights to use.
Your rights
In addition to your rights under UK GDPR (see the Privacy Policy), you have the following rights in relation to AI features on our properties:
- Right to know - to be told whether an interaction or output involves AI.
- Right to explanation - to receive a meaningful description of how an AI feature reached an output that affects you.
- Right to human review - to have an AI-influenced decision or output reviewed by a human at CyBehave.
- Right to opt out - to decline AI-powered features where they are optional, without losing access to core services.
- Right to challenge - to contest AI outputs you consider inaccurate, biased, or unfair.
To exercise any of these rights, contact ai@cybehave.com. You may also raise concerns with the ICO or, where applicable, with your national data protection authority in the EU/EEA.
AI in our research
CyBehave conducts research at the intersection of behavioural science, cybersecurity, and AI. Our research programmes, including Behavioural Convergence Theory (BCT), examine how established human behavioural frameworks can be extended to govern the behaviour of agentic AI systems.
Research outputs published on cybehave.com may use AI tools for literature review, data analysis, drafting, and visualisation. Research that involves human participants follows separate ethics, consent, and data protection processes documented at the time of recruitment. We do not conduct research on AI systems in ways that would breach safety guidelines published by the underlying model provider.
Governance and updates
This policy is owned by the CyBehave AI Governance function and is reviewed at least annually, and additionally whenever: we introduce a materially new AI feature or change an existing one; an AI sub-processor is added or replaced; applicable law or regulatory guidance changes (for example, new EU AI Act application dates or new UK AI legislation); or an incident or near-miss prompts a review of our controls.
Material changes will be reflected in the "last updated" date and, where appropriate, communicated to registered Heroes users by email.
Contact us
AI policy and AI feature queries: ai@cybehave.com. Privacy queries: privacy@cybehave.com. General enquiries: see the Contact page on cybehave.com.
