Who We Are
HX Security ("we," "our," or "us") is a cybersecurity company based in India, specialising in offensive security, vulnerability assessment, penetration testing, red team operations, and security compliance advisory services.
We operate the website hxsecurity.in and all subdomains thereof. This Privacy Policy applies to all visitors, clients, and contacts who interact with our website, services, or communications.
Data Controller: HX Security | Email: contact@hxsecurity.in | Website: hxsecurity.in
Information We Collect
We collect only the information necessary to deliver our services, respond to enquiries, and improve our offerings. We never collect data unnecessarily.
2.1 Information You Provide Directly
- Contact & Assessment Forms: Your name, company name, email address, phone number, and description of your environment or security requirements.
- Email Communications: Any information you share when contacting us directly at our email addresses.
- Client Engagements: During paid engagements, we may receive additional organisational information, technical documentation, credentials (in-scope only), and project-related data — all governed by a separate Client Agreement and NDA.
2.2 Information Collected Automatically
- Log Data: IP address, browser type and version, operating system, referring URL, pages visited, and timestamps — collected via standard server logs.
- Analytics Data: Aggregated, anonymised usage statistics to understand how our website is used. We do not use Google Analytics or other invasive tracking tools without disclosure.
- Cookies: Essential cookies required for website functionality. See Section 8 for details.
2.3 Information We Do Not Collect
- We do not collect payment card details directly — all payments are processed through PCI-DSS compliant third-party gateways.
- We do not sell, rent, or trade your personal information to any third party, ever.
- We do not collect sensitive personal data (biometrics, health data, etc.) through this website.
How We Use Your Information
We use your personal data for specific, clearly defined purposes only:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Respond to assessment requests & enquiries | Name, email, company, environment description | Legitimate interest / Contract |
| Deliver security assessment services | All client-provided engagement data | Contract performance |
| Send service-related communications | Email address, name | Legitimate interest |
| Improve our website & services | Anonymised analytics, log data | Legitimate interest |
| Comply with legal obligations | As required by applicable law | Legal obligation |
| Prevent fraud & security incidents | IP address, log data | Legitimate interest |
We will never use your data for automated decision-making that produces legal or similarly significant effects without your explicit consent.
Legal Basis for Processing
We process your personal data under the following lawful bases in accordance with applicable Indian law (Information Technology Act 2000 & IT (Amendment) Act 2008) and international best practices:
- Consent: Where you have freely given, specific, informed, and unambiguous consent.
- Contractual Necessity: Where processing is required to fulfil a contract with you or to take pre-contractual steps at your request.
- Legitimate Interests: Where we have a legitimate business interest that does not override your rights and freedoms.
- Legal Obligation: Where we are required to process data to comply with applicable laws or regulations.
Data Sharing & Third Parties
We do not sell or trade your personal information. We may share data only in the following strictly controlled circumstances:
5.1 Service Providers
We work with carefully vetted third-party providers who assist us in operating our website and delivering services. These providers are contractually bound to process data only on our instructions and in accordance with this policy:
- Web hosting and infrastructure providers
- Email delivery services (for transactional communication only)
- Payment processors (PCI-DSS compliant; we share only what is necessary)
- Secure document storage and collaboration tools
5.2 Legal Requirements
We may disclose your information if required to do so by law, court order, or government authority, or where we believe disclosure is necessary to protect the rights, property, or safety of HX Security, our clients, or the public.
5.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected individuals and ensure the receiving party upholds equivalent privacy protections.
Client Data Confidentiality: All data shared with us during security engagements is treated as strictly confidential under our client agreements and NDAs. It is never shared with third parties without explicit written authorisation.
Data Retention
We retain personal data only for as long as necessary for the purposes outlined in this policy, or as required by applicable law.
- Enquiry / Contact Data: Retained for up to 24 months from last contact, then securely deleted.
- Client Engagement Data: Retained for the duration of the engagement plus 3 years for legal and audit compliance purposes, then securely deleted or anonymised.
- Website Log Data: Retained for up to 90 days for security monitoring purposes.
- Financial Records: Retained for 7 years as required by Indian tax and accounting laws.
Upon expiry of these periods, data is securely deleted or irreversibly anonymised using methods that prevent reconstruction.
Your Rights
Subject to applicable law, you have the following rights with respect to your personal data. To exercise any of these rights, contact us at contact@hxsecurity.in. We will respond within 30 days.
- Right of Access: Request a copy of the personal data we hold about you.
- Right to Rectification: Request correction of inaccurate or incomplete data.
- Right to Erasure: Request deletion of your personal data where there is no legitimate basis for us to continue processing it.
- Right to Restrict Processing: Request that we limit how we use your data.
- Right to Data Portability: Request your data in a structured, machine-readable format.
- Right to Object: Object to processing based on legitimate interests.
- Right to Withdraw Consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
We will not discriminate against you for exercising any of your data rights. All requests are handled free of charge unless manifestly unfounded or excessive.
Cookies & Tracking
Our website uses a minimal set of cookies essential to basic functionality. We do not use tracking cookies for advertising purposes.
8.1 Essential Cookies
These cookies are strictly necessary for the website to function and cannot be disabled:
- Session cookies: Maintain your session state during a single visit. Deleted when you close your browser.
- CSRF protection cookies: Protect form submissions from cross-site request forgery attacks.
8.2 Analytics (If Applicable)
If we deploy analytics tools in future, we will update this section and provide an opt-out mechanism. Any analytics will be privacy-preserving (e.g., cookieless, IP-anonymised).
8.3 Managing Cookies
You can control cookies through your browser settings. Disabling essential cookies may affect website functionality. Most browsers allow you to view, delete, and block cookies — refer to your browser's help documentation for specific instructions.
Security Measures
As a cybersecurity company, we hold ourselves to a higher standard than most. The technical and organisational measures we implement include:
- Encryption in Transit: All data transmitted to/from our website and services is encrypted using TLS 1.2+ with strong cipher suites.
- Encryption at Rest: Sensitive data is encrypted at rest using AES-256 or equivalent.
- Access Controls: Strict role-based access controls ensure only authorised personnel access client data, on a need-to-know basis.
- Secure Development: Our internal systems and client-facing assets are built and reviewed following secure development practices (OWASP, NIST).
- Regular Security Reviews: Our own infrastructure undergoes regular internal security assessments.
- Incident Response: We maintain a documented incident response plan. In the event of a data breach affecting your rights, we will notify you without undue delay.
No transmission over the internet is 100% secure. While we use industry-best measures to protect your data, we cannot guarantee absolute security. We encourage you to contact us securely via our email for sensitive communications.
Children's Privacy
Our website and services are not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected information from a child, please contact us immediately at contact@hxsecurity.in and we will take prompt action to delete it.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Post a notice on our website home page for a reasonable period.
- Where feasible, notify existing clients by email.
Your continued use of our website or services after any changes constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.
Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact our data team directly:
- Email: contact@hxsecurity.in
- Website: hxsecurity.in
- LinkedIn: linkedin.com/company/hx-security
We commit to responding to all privacy-related requests within 30 days of receipt.
Questions About Your Data?
Our team is happy to clarify anything in this policy or help you exercise your data rights. Reach out and we'll respond within 24 hours.
Contact Privacy Team