SSE - Privacy Policy

Section 1

Data Controller and Scope

The data controller responsible for your personal data is:

SSE Network Ltd
Registered in: Republic of Cyprus
Website: sse.to
Data Protection Contact: [email protected]
Telephone: (800) 285-1041

Within the meaning of the GDPR, SSE Network ("SSE," "we," "us," or "our") determines the purposes and means of processing personal data collected through our Website, Portal, APIs, and all associated managed IT services (collectively, the "Services").

This Policy applies to:

Visitors to our Website and Portal.
Clients and authorized users of our managed IT services.
Prospective clients who engage with our sales and marketing channels.
Business partners, vendors, and service providers who interact with SSE.
Individuals whose personal data is processed by our clients using SSE infrastructure (in which case SSE acts as a data processor — see Section 13).

Where SSE processes personal data on behalf of a client (e.g., data stored on our backup or VPS infrastructure), SSE acts as a data processor under the GDPR. In such cases, the client remains the data controller, and a Data Processing Agreement governs the relationship (see Section 13).

Section 2

Personal Data We Collect

We collect and process personal data through several channels and interactions. The following table provides a comprehensive overview of the categories of data we process:

2.1 Data Provided Directly by You

Category	Data Elements	Legal Basis	Retention
Identity Data	Full name, company name, job title, VAT/tax ID	Contract, Legal obligation	Account lifetime + 30 days
Contact Data	Email address, phone number, postal address, emergency contacts	Contract, Legitimate interest	Account lifetime + 30 days
Authentication Data	Username, hashed passwords, MFA tokens, SSH public keys, API keys	Contract	Account lifetime
Financial Data	Payment card details (tokenized via PCI-DSS compliant processor), billing address, invoice history, bank details for wire transfers	Contract, Legal obligation	10 years (tax law)
Service Configuration	Server specifications, backup schedules, network configurations, DNS records, software licenses	Contract	Account lifetime + 30 days
Support Data	Support tickets, chat transcripts, screen recordings shared during support sessions, escalation records	Contract, Legitimate interest	3 years from resolution
Communication Data	Email correspondence, feedback, survey responses, consent records	Consent, Legitimate interest	3 years or until consent withdrawn

2.2 Data Collected Automatically

Category	Data Elements	Legal Basis	Retention
Device Data	IP address, browser type/version, operating system, device type, screen resolution, language preferences	Legitimate interest	12 months
Usage Data	Pages visited, session duration, click patterns, referral source, navigation paths	Legitimate interest, Consent	26 months
Location Data	Approximate geolocation (country/city level) derived from IP address	Legitimate interest	12 months
Infrastructure Logs	Server access logs, authentication logs, error logs, API request logs, firewall logs	Legitimate interest, Legal obligation	12 months

2.3 Data from Third-Party Sources

Payment processors (Stripe, PayPal): Transaction confirmations, fraud risk assessments, chargeback notifications.
Domain registrars and DNS providers: WHOIS data for domain-related services.
Identity verification services: For KYC/AML compliance where required by law.
Publicly available sources: Business registries, company websites, and professional networking platforms for B2B sales.

Data Minimization. In accordance with GDPR Article 5(1)(c), we collect only the minimum personal data necessary to fulfill each stated purpose. We conduct periodic reviews of our data collection practices to ensure ongoing compliance with the principle of data minimization.

Section 3

Legal Basis for Processing

Under GDPR Article 6, we process personal data only when we have a valid legal basis. Each processing activity relies on one or more of the following grounds:

Legal Basis	Application
Performance of Contract Art. 6(1)(b) GDPR	Processing necessary to deliver the Services you have ordered: provisioning infrastructure, managing your account, processing payments, providing technical support, and fulfilling our obligations under Service Orders and SLAs.
Legitimate Interests Art. 6(1)(f) GDPR	Processing necessary for our legitimate business interests where these are not overridden by your rights and freedoms: infrastructure security monitoring, fraud prevention, service optimization, internal analytics, business development, and IT system administration. We perform Legitimate Interest Assessments (LIAs) and document the balancing of interests.
Consent Art. 6(1)(a) GDPR	Processing based on your freely given, specific, informed, and unambiguous consent: marketing communications, non-essential cookies, newsletter subscriptions, and optional surveys. Consent may be withdrawn at any time without affecting the lawfulness of prior processing.
Legal Obligation Art. 6(1)(c) GDPR	Processing required to comply with applicable laws and regulations: tax and accounting records (applicable tax and commercial legislation), anti-money laundering requirements, regulatory audits, lawful data preservation orders, and responses to valid legal process.
Vital Interests Art. 6(1)(d) GDPR	In exceptional circumstances, processing necessary to protect the vital interests of a natural person, such as responding to a security incident that poses an imminent threat.

Record of Processing Activities. SSE maintains a Record of Processing Activities (ROPA) as required by GDPR Article 30, documenting all categories of processing, data flows, legal bases, and retention periods. A summary is available upon request to the Data Protection Officer.

Section 4

Purposes of Processing

4.1 Service Delivery and Operations

Provisioning, configuring, and maintaining cloud infrastructure, backup environments, virtual servers, and FTP storage services.
Authenticating users and managing access controls across all service tiers.
Processing transactions, generating invoices, and managing billing cycles.
Providing multi-tier technical support (L1/L2/L3) via phone, email, Portal tickets, and remote access.
Performing service migrations, upgrades, and scheduled maintenance operations.

4.2 Security and Infrastructure Protection

Continuous monitoring of infrastructure for unauthorized access, anomalous activity, and potential threats.
Operating intrusion detection/prevention systems (IDS/IPS), SIEM platforms, and DDoS mitigation services.
Conducting vulnerability assessments, penetration testing, and security incident investigations.
Enforcing acceptable use policies and detecting abuse (spam, malware distribution, resource abuse).

4.3 Analytics and Service Improvement

Analyzing aggregated and anonymized usage patterns to improve Website performance and user experience.
Conducting capacity planning and infrastructure optimization based on usage trends.
Evaluating the effectiveness of support processes and identifying areas for improvement.

4.4 Communication

Transactional: Essential service notifications, including outage alerts, maintenance windows, security advisories, billing reminders, and policy updates. These communications are required for service delivery and cannot be opted out of.
Marketing: With your explicit consent, promotional communications about new services, features, and industry insights. You may unsubscribe at any time via the link in each email or by contacting us.

4.5 Legal and Regulatory Compliance

Maintaining financial records as required under applicable Cyprus and EU tax and commercial regulations.
Responding to lawful requests from courts, regulatory authorities, and law enforcement.
Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing activities as required by GDPR Article 35.

Section 5

Data Sharing and Sub-Processors

We do not sell personal data. We have never sold personal data and have no plans to do so. We do not share personal data with third parties for their own marketing purposes.

5.1 Authorized Sub-Processors

We engage carefully vetted sub-processors to assist in delivering our Services. Each sub-processor is bound by a Data Processing Agreement that requires GDPR-equivalent protections. Our current sub-processor categories include:

Sub-Processor Category	Purpose	Data Location
Data center operators	Physical infrastructure hosting (Tier III+ facilities)	EU (Germany, Netherlands)
Payment processors	Secure transaction processing (PCI-DSS Level 1 certified)	EU, US
Backup software vendors	Backup orchestration and management (Veeam)	EU
Monitoring and alerting platforms	Infrastructure monitoring, uptime tracking, incident alerting	EU
Support and CRM platforms	Ticket management, client communication	EU
Email delivery services	Transactional and service emails	EU, US (with SCCs)
Server-side log analysis	Internal website usage analysis (no third-party analytics service)	EU

A complete list of named sub-processors is available upon request. We notify clients of any intended changes to sub-processors at least thirty (30) days in advance, providing an opportunity to object.

5.2 Legal Disclosure

We may disclose personal data when required to:

Comply with applicable law, regulation, legal process, or enforceable governmental request.
Enforce our Terms and Conditions, including investigation of potential violations.
Protect the rights, property, or safety of SSE, our clients, or the public.

Where legally permitted, we will notify you before disclosing your data in response to legal process and will challenge requests we believe are overly broad or legally deficient.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will provide at least thirty (30) days' advance notice and ensure that the successor is bound by equivalent data protection obligations.

Section 6

Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Website. Our use of cookies complies with the ePrivacy Directive (2002/58/EC) and GDPR consent requirements.

Type	Purpose	Consent Required	Duration
Strictly Necessary	Session management, authentication, CSRF protection, load balancing	No (exempt)	Session – 1 year
Performance	Page load timing, error tracking, server response monitoring	Yes	Up to 2 years
Functional	Language preferences, display settings, remembered form fields	Yes	Up to 1 year
Analytics	Visitor behavior analysis, traffic source identification, feature usage	Yes	Up to 26 months

We do not use advertising or behavioral tracking cookies. For detailed information about specific cookies and how to manage your preferences, please see our Cookies Policy.

Section 7

Data Retention Schedule

We retain personal data in accordance with the principle of storage limitation (GDPR Article 5(1)(e)). Our retention periods are determined by legal requirements, contractual necessity, and legitimate business needs:

Data Category	Active Retention	Archive/Backup	Legal Basis
Account and identity data	Duration of account + 30 days	90 days in encrypted backups	Contract performance
Financial and billing records	10 years from fiscal year end	—	EU/Cyprus tax law
Support tickets and correspondence	3 years from ticket closure	90 days in encrypted backups	Legitimate interest
Infrastructure and access logs	12 months	—	Legitimate interest, Legal obligation
Consent records	Duration of consent + 3 years	—	Legal obligation (proof of consent)
Website analytics data	26 months	—	Consent
Marketing opt-out records	Indefinite	—	Legal obligation (honoring opt-outs)
Client Data on SSE infrastructure	Duration of service	30 days post-termination for export, then secure deletion	Contract performance

Upon expiration of the applicable retention period, personal data is permanently deleted using secure erasure methods (NIST SP 800-88 compliant) or irreversibly anonymized. Data stored in encrypted backup archives is purged on the next scheduled backup rotation cycle.

Section 8

Technical and Organizational Security Measures

Pursuant to GDPR Article 32, SSE implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing. Our security program includes:

8.1 Encryption

AES-256 encryption for all data at rest across storage systems and backup repositories.
TLS 1.2+ (TLS 1.3 preferred) for all data in transit, including client-to-server and server-to-server communication.
End-to-end encryption for backup data using client-managed encryption keys where configured.

8.2 Access Management

Principle of least privilege applied across all systems and personnel.
Multi-factor authentication (MFA) mandatory for all administrative and privileged access.
Role-based access control (RBAC) with quarterly access reviews and automated deprovisioning.
Privileged Access Management (PAM) with session recording for critical infrastructure.

8.3 Network and Infrastructure Security

Next-generation firewalls with deep packet inspection and application-layer filtering.
Network segmentation and micro-segmentation isolating client environments.
Intrusion Detection and Prevention Systems (IDS/IPS) with real-time alerting.
Security Information and Event Management (SIEM) with 24/7 SOC monitoring.
Distributed Denial-of-Service (DDoS) mitigation at network edge.

8.4 Physical Security

Tier III+ certified data centers with N+1 redundancy for power, cooling, and network.
24/7 on-site security personnel, CCTV surveillance, and biometric access controls.
Environmental monitoring including fire suppression, flood detection, and temperature control.

8.5 Operational Security

Regular vulnerability assessments and annual third-party penetration testing.
Automated patch management with defined SLAs for critical, high, and medium vulnerabilities.
Secure software development lifecycle (SDLC) practices for internal tooling.
Documented incident response plan with defined escalation procedures and post-incident review.
Mandatory security awareness training for all personnel, with annual refresher and phishing simulations.

8.6 Compliance Framework

GDPR Compliant Cyprus Data Protection Law PCI-DSS (via payment processors) Tier III+ Data Centers NIST SP 800-88 (Data Erasure)

Section 9

International Data Transfers

SSE primarily processes and stores personal data within the European Economic Area (EEA), with core infrastructure located in Germany and the Netherlands. In limited circumstances, personal data may be transferred outside the EEA where necessary for service delivery.

9.1 Transfer Safeguards

Any transfer of personal data outside the EEA is conducted in accordance with GDPR Chapter V and is protected by one or more of the following safeguards:

Adequacy Decisions (Art. 45 GDPR): Transfers to countries recognized by the European Commission as providing an adequate level of data protection.
Standard Contractual Clauses (Art. 46(2)(c) GDPR): EU Commission-approved SCCs (Decision 2021/914) executed with all data importers, supplemented by Transfer Impact Assessments (TIAs) where required.
EU-US Data Privacy Framework: For transfers to certified US organizations, reliance on the EU-US Data Privacy Framework adequacy decision where applicable.
Binding Corporate Rules (Art. 47 GDPR): Where adopted by affiliates or sub-processors.

9.2 Transfer Impact Assessments

For transfers relying on Standard Contractual Clauses, SSE conducts Transfer Impact Assessments to evaluate the legal framework of the destination country and determine whether supplementary measures are necessary to maintain an equivalent level of protection.

Copies of the applicable SCCs and TIA summaries are available upon request by contacting [email protected].

Section 10

Rights of EEA Data Subjects (GDPR)

If you are located in the European Economic Area, you have the following rights under GDPR Articles 15–22. You may exercise any of these rights free of charge by contacting [email protected].

Right	What It Means
Right of Access Art. 15	Obtain confirmation of whether we process your data and, if so, receive a copy of the data together with information about the purposes, categories, recipients, retention periods, and your rights.
Right to Rectification Art. 16	Request correction of inaccurate personal data or completion of incomplete data without undue delay.
Right to Erasure Art. 17	Request deletion of your personal data when it is no longer necessary for its original purpose, you withdraw consent, you object to processing, or the data was unlawfully processed. Subject to legal retention requirements.
Right to Restriction Art. 18	Request that processing be restricted while we verify accuracy of contested data, while we assess an objection, when processing is unlawful but you prefer restriction over erasure, or when we no longer need the data but you require it for legal claims.
Right to Data Portability Art. 20	Receive your data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
Right to Object Art. 21	Object to processing based on legitimate interests or for direct marketing purposes. For direct marketing, we will immediately cease processing upon objection. For legitimate interests, we will cease unless we demonstrate compelling grounds that override your rights.
Right to Withdraw Consent Art. 7(3)	Withdraw previously given consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right Not to Be Subject to Automated Decisions Art. 22	Not be subject to a decision based solely on automated processing, including profiling, that produces legal effects or similarly significant effects. See Section 12 for details.
Right to Lodge a Complaint Art. 77	File a complaint with the Commissioner for Personal Data Protection in Cyprus or the supervisory authority in the EU/EEA Member State of your habitual residence or place of work.

Request Handling Procedures

Response Time: We will acknowledge receipt within 5 business days and provide a substantive response within 30 days (extendable by 60 days for complex requests, with prior notification).
Identity Verification: We verify your identity before processing requests to prevent unauthorized disclosure. Verification may include confirmation via the email address on file or additional documentation.
Fee: Requests are processed free of charge. We reserve the right to charge a reasonable administrative fee or refuse manifestly unfounded or excessive requests (GDPR Article 12(5)).
Format: Data portability responses are provided in JSON or CSV format, encrypted and delivered via secure channel.

Section 11

Rights of California Residents (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA"), provides you with additional rights regarding your personal information.

11.1 Your CCPA Rights

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom it is shared.
Right to Delete: Request deletion of personal information we have collected, subject to certain legal exceptions.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. No opt-out action is required.
Right to Limit Use of Sensitive Information: Where applicable, request that we limit the use of sensitive personal information to purposes authorized by the CCPA.
Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your CCPA rights.

11.2 Exercising CCPA Rights

California residents may submit requests by emailing [email protected] with the subject line "CCPA Request" or by calling (800) 285-1041. We will verify your identity and respond within 45 days, with a possible 45-day extension upon notice.

11.3 California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents may request information about personal data shared with third parties for direct marketing purposes. As stated above, SSE does not share personal data with third parties for their direct marketing purposes.

Section 12

Automated Decision-Making and Profiling

In accordance with GDPR Article 22, we provide transparency regarding automated processing:

Fraud Detection: We use automated systems to detect potentially fraudulent transactions and account activity. Flagged transactions may be temporarily held for manual review. This processing is necessary for the performance of our contract with you and our legitimate interest in fraud prevention.
Infrastructure Security: Automated threat detection systems analyze network traffic patterns and may automatically block IP addresses or connections identified as malicious. This processing is necessary for our legitimate interest in protecting our infrastructure and clients.
Abuse Detection: Automated monitoring identifies violations of our Acceptable Use Policy, such as spam origination or resource abuse. Detected violations trigger manual review before any service action is taken.

We do not use automated decision-making that produces legal effects or similarly significant effects on you without human intervention. Where automated processing contributes to a decision that affects your service, you have the right to request human review, express your point of view, and contest the decision by contacting [email protected].

Section 13

Data Processing Agreements

13.1 SSE as Data Processor

When clients store, process, or transmit personal data using SSE infrastructure (e.g., cloud backup, VPS, FTP storage), SSE acts as a data processor within the meaning of GDPR Article 28. The client remains the data controller and is responsible for determining the purposes and means of processing.

13.2 DPA Availability

SSE provides a GDPR-compliant Data Processing Agreement (DPA) to all clients. The DPA addresses:

Subject matter, duration, nature, and purpose of processing.
Categories of data subjects and types of personal data processed.
Obligations and rights of the data controller.
SSE's obligations regarding sub-processors, data transfers, security measures, breach notification, audit rights, and data deletion.
Technical and organizational measures implemented pursuant to GDPR Article 32.

To request a DPA or discuss data processing arrangements, contact [email protected].

13.3 Audit Rights

In accordance with GDPR Article 28(3)(h), clients acting as data controllers have the right to audit SSE's compliance with data processing obligations. Audits may be conducted by the client or a mandated independent auditor, subject to reasonable advance notice, confidentiality obligations, and mutual scheduling coordination. SSE may provide SOC 2 Type II reports, ISO 27001 audit summaries, or equivalent third-party attestations to satisfy audit requirements.

Section 14

Data Breach Notification

14.1 Supervisory Authority Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, SSE will notify the competent supervisory authority without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, in accordance with GDPR Article 33.

14.2 Data Subject Notification

Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, SSE will communicate the breach to affected data subjects without undue delay, in accordance with GDPR Article 34. The notification will describe:

The nature of the breach, including the categories and approximate number of data subjects and records affected.
The likely consequences of the breach.
The measures taken or proposed to address the breach and mitigate potential adverse effects.
Contact details of the Data Protection Officer.

14.3 Client Notification (Processor Role)

Where SSE acts as a data processor, we will notify the affected client (data controller) of any confirmed personal data breach without undue delay and no later than 48 hours after confirmed detection, providing sufficient information to enable the controller to fulfill its own notification obligations.

14.4 Incident Response

SSE maintains a documented Incident Response Plan that includes:

Defined severity levels and escalation procedures.
Designated incident response team with 24/7 on-call availability.
Containment, eradication, and recovery procedures.
Evidence preservation and forensic investigation protocols.
Post-incident review and remediation tracking.
Regulatory and law enforcement liaison procedures where required.

Section 15

Children's Privacy

Our Services are designed for business use and are not directed at individuals under the age of sixteen (16). We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take immediate steps to delete the data from our systems and notify the relevant supervisory authority if required.

If you are a parent or guardian and believe a child has provided personal data to SSE, please contact us immediately at [email protected].

Section 16

Third-Party Links and Services

Our Website may contain links to third-party websites, applications, or services that are not operated or controlled by SSE. This Privacy Policy does not apply to those third-party services, and we are not responsible for their privacy practices, content, or security measures.

We recommend reviewing the privacy policy of any third-party service before providing personal data. The inclusion of a link on our Website does not imply endorsement, sponsorship, or affiliation.

Section 17

Policy Updates

We review this Privacy Policy at least annually and update it as necessary to reflect changes in our practices, technologies, legal requirements, or regulatory guidance. When we make changes:

The version number and "Last Revised" date at the top of this page will be updated.
Material changes will be communicated via email and/or a prominent notice on the Website at least thirty (30) days before taking effect.
Previous versions of this policy are archived and available upon request.
Continued use of the Services after the effective date constitutes acceptance of the revised policy.

Section 18

Data Protection Officer

SSE has appointed a Data Protection Officer (DPO) in accordance with GDPR Article 37. The DPO independently monitors compliance with data protection legislation, advises on Data Protection Impact Assessments, and serves as the point of contact for data subjects and supervisory authorities.

Email: [email protected]
Subject Line: "DPO Inquiry" or "Data Subject Request"

Supervisory Authority

If you are not satisfied with our response to a data protection inquiry, you have the right to lodge a complaint with a data protection supervisory authority. The competent authority for SSE is:

Commissioner for Personal Data Protection (Επίτροπος Προστασίας Δεδομένων Προσωπικού Χαρακτήρα), Iasonos 1, 1082 Nicosia, Cyprus — www.dataprotection.gov.cy
You may also lodge a complaint with the supervisory authority in the EU/EEA Member State of your habitual residence or place of work.

Section 19

Contact and Complaints

For any questions, concerns, data subject requests, or complaints related to this Privacy Policy or our data processing practices:

Channel	Contact	Use For
Data Protection Officer	[email protected]	Data subject requests, GDPR inquiries, DPA requests, privacy complaints
General Support	[email protected]	Account-related privacy settings, cookie preferences, opt-out requests
Telephone	(800) 285-1041	Urgent privacy concerns, CCPA requests
Client Portal	clients.sse.to	Account settings, data export, consent management

Questions about your data?

Our Data Protection Officer is available to assist with any privacy-related inquiries, data subject requests, or to provide a copy of our Data Processing Agreement.

Contact the DPO