Privacy Policy

1. Who we are

ScenarioX (“ScenarioX”, “we”, “us”, “our”) is the operator of the ScenarioX cybersecurity tabletop exercise platform available at scenariox.io and the application at app.scenariox.io. For the purpose of GDPR, we act as the data controller for personal data we collect through the public website, and as a data processor for customer-uploaded exercise data inside the application.

For full provider information see our Legal Notice (Impressum).

2. What data we collect

We collect only the data we need to operate the service:

• Account data: name, work email, job title, organisation, hashed password, two-factor authentication secret (if enabled).
• Exercise data: scenarios, injects, decisions, actions, participant comments and the timestamps you generate while using the platform. This data belongs to your tenant and is isolated from other tenants.
• Lead data: when you submit the trial form or download the free guide, we collect the form fields (name, work email, job title, company).
• Integration data: if you connect Slack or Microsoft Teams, we store OAuth tokens encrypted at rest using Fernet symmetric encryption.
• Audit logs: exercise actions, role changes, and security-relevant events are written to a hash-chained audit trail for tamper-evidence.
• Technical data: IP address, browser type, request timestamps and standard server logs, kept for security and abuse prevention.

3. How and why we use your data

• To provide the service (authentication, running exercises, generating reports).
• To improve and secure the platform (debugging, abuse detection, capacity planning).
• To send service-related communication (account verification, security alerts, billing notices).
• To respond to your sales or support enquiries.
• To comply with legal obligations (accounting, lawful information requests).

We do not sell personal data, we do not use your exercise content to train AI models, and we do not share data with advertising networks.

4. Legal basis for processing (GDPR Art. 6)

• Contract (Art. 6(1)(b)) — for everything required to deliver the platform you have subscribed to.
• Legitimate interest (Art. 6(1)(f)) — for security, fraud prevention, product analytics on aggregated usage, and responding to your enquiries.
• Consent (Art. 6(1)(a)) — for the marketing emails you opt into when downloading the free guide.
• Legal obligation (Art. 6(1)(c)) — for invoicing, tax records and lawful information requests.

5. Sharing and sub-processors

We share data only with sub-processors that are necessary to run the service. Each sub-processor is bound by a Data Processing Agreement and processes data only on documented instructions from us.

We do not transfer your data to advertising or analytics platforms. The current public landing page does not load any third-party analytics or marketing trackers — see our Cookie Policy.

6. International transfers

Your account data and exercise data are stored within the European Union on Scaleway infrastructure. Where a sub-processor (such as the AI provider used for scenario generation) processes data outside the EU, we rely on the European Commission’s Standard Contractual Clauses (SCCs) and additional technical safeguards (encryption in transit, prompt-content filtering, no training on customer data).

7. Data retention

• Account data: for the lifetime of your subscription, then deleted within 90 days of account closure unless retention is legally required.
• Exercise data: retained for as long as your tenant exists; you can delete individual exercises and reports at any time from the application.
• Lead data: retained for up to 24 months from your last interaction, unless you ask us to delete it sooner.
• Audit logs: retained for at least 12 months for security and compliance evidence.
• Server logs: retained for up to 30 days, then rotated.
• Backups: rolling 30-day window; older backups are deleted automatically.

8. Your rights

Under GDPR (and equivalent laws in other jurisdictions) you have the right to:

• Access the personal data we hold about you (Art. 15).
• Have inaccurate data corrected (Art. 16).
• Have your data erased where applicable (Art. 17).
• Restrict or object to processing (Art. 18 and 21).
• Receive your data in a portable format (Art. 20).
• Withdraw consent at any time, without affecting prior lawful processing.
• Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email info@scenariox.io. We respond within 30 days.

9. How we protect your data

Data is encrypted in transit (TLS 1.2+) and at rest. OAuth tokens for third-party integrations are individually encrypted with Fernet. The audit trail uses HMAC hash-chaining so tampering is detectable. Tenant data is isolated by mandatory tenant_id scoping on every database query. For the full list of controls see our Security page.

10. Cookies and local storage

The public landing page does not set tracking cookies. We use localStorage to remember your language preference and a session flag to avoid repeated language redirects. The application sets a session cookie required for authentication. Full details are in our Cookie Policy.

11. Children

ScenarioX is a B2B service intended for organisations and is not directed at children under 16. We do not knowingly collect personal data from children.

12. Changes to this policy

We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent change. Material changes are announced inside the application and, where relevant, by email.

13. Contact

For privacy questions, data subject requests or to designate a Data Protection Officer contact, write to info@scenariox.io. For all other enquiries see our Contact page.