Privacy Policy
How EIC Limited collects, uses, protects and shares your personal data across our cybersecurity and compliance services.
1. Introduction
This Privacy Policy explains how EIC Limited (“EIC”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data when you use our website, services, and technology platforms.
EIC Limited is the data controller responsible for your personal data. Our registered address is:
EIC Limited, House 15, Road 7, Niketan, Gulshan, Dhaka 1212, Bangladesh
This policy applies to all individuals who interact with our services, including clients, prospective clients, website visitors, and individuals whose data we process as part of our compliance and cybersecurity assessment services across 7 countries in Asia-Pacific.
2. Information We Collect
We collect the following categories of personal data:
2.1 Information You Provide Directly
- Contact information — name, email address, phone number, job title, company name
- Scoping form data — industry, service interests, compliance requirements
- Engagement data — contracts, statements of work, assessment questionnaires
- Communication records — emails, call notes, meeting records related to engagements
2.2 Information Collected Automatically
- Technical data — IP address, browser type and version, operating system, device type
- Usage data — pages visited, time on page, referral source, navigation path
- Cookie data — session identifiers, preference settings (see Section 11)
2.3 Information from Third Parties
- Professional credentials — PCI SSC assessor directory, CREST membership records
- Client-provided data — cardholder data environment details, network diagrams, system inventories provided during compliance assessments
| Category | Examples | Source |
|---|---|---|
| Identity | Name, job title | Direct / Client |
| Contact | Email, phone | Direct |
| Technical | IP, browser, device | Automatic |
| Usage | Pages visited, time | Automatic |
| Assessment | CDE data, network diagrams | Client-provided |
3. How We Collect Information
We collect personal data through the following channels:
- Website forms — contact forms, scoping estimate requests, newsletter subscriptions
- Direct communications — emails, phone calls, video conferences, and in-person meetings
- Engagement activities — compliance assessments, penetration tests, vulnerability scans, and audit processes
- Technology platforms — CardIntel, Infiltra, and Complio when used as part of our services
- Automated technologies — cookies, server logs, and analytics tools when you visit our website
4. Legal Basis for Processing
We process your personal data under the following legal bases:
| Legal Basis | Processing Activity |
|---|---|
| Contractual necessity | Delivering compliance assessments, penetration testing, and advisory services |
| Legitimate interests | Improving our services, website analytics, marketing to existing clients |
| Consent | Newsletter subscriptions, marketing communications, non-essential cookies |
| Legal obligation | Compliance with regulatory requirements, tax records, audit trails |
Where processing is based on consent, you may withdraw consent at any time by contacting privacy@eicsecure.com. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5. How We Use Your Information
We use your personal data for the following purposes:
- Service delivery — conducting PCI DSS, SWIFT CSP, ISO 27001, CMMI, and other compliance assessments
- Client communications — responding to enquiries, scheduling scoping calls, sending engagement updates
- Platform operation — operating CardIntel, Infiltra, and Complio for assessment activities
- Quality assurance — internal audits, service improvement, and maintaining accreditation standards
- Legal and regulatory — complying with PCI SSC, CREST, and other accreditation body requirements
- Marketing — sending compliance newsletters, blog updates, and event invitations (with consent)
- Website improvement — analysing usage patterns to improve content, navigation, and performance
We do not sell, rent, or trade your personal data to third parties for their marketing purposes.
6. Data Sharing & Disclosure
We may share your personal data with the following categories of recipients:
- Accreditation bodies — PCI SSC, CREST, SWIFT, CMMI Institute, and ISO certification bodies as required to maintain our credentials and complete assessments
- Sub-processors — cloud hosting providers (AWS), email service providers, and CRM systems that process data on our behalf under contractual data processing agreements
- Professional advisors — lawyers, auditors, and insurers where necessary for business operations
- Legal authorities — government agencies, law enforcement, or regulatory bodies where required by law or to protect our legal rights
- Client-authorised parties — acquirers, card brands, or regulators when disclosure is required to complete your assessment deliverables
All third-party processors are contractually bound to process data only on our instructions and to implement appropriate security measures. We maintain a register of sub-processors available on request.
7. International Data Transfers
EIC operates across 7 countries in Asia-Pacific: Bangladesh, Singapore, Vietnam, Nepal, Bahrain, Malaysia, and the Philippines. Your personal data may be transferred to and processed in any of these jurisdictions.
Where data is transferred internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) for transfers to jurisdictions without adequacy determinations
- Data Processing Agreements (DPAs) with all sub-processors that include transfer safeguards
- Technical measures including encryption in transit (TLS 1.2+) and at rest
- Access controls ensuring data is only accessible to authorised personnel in the relevant jurisdiction
Singapore’s Personal Data Protection Act (PDPA) and Bangladesh’s Digital Security Act provide the primary regulatory frameworks governing our data processing activities. We also comply with applicable data protection laws in each jurisdiction where we operate.
8. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:
| Data Category | Retention Period | Reason |
|---|---|---|
| Assessment reports (ROC, AOC) | 7 years | PCI SSC requirement |
| Engagement contracts | 7 years post-completion | Legal obligation |
| Penetration test reports | 3 years | Accreditation requirement |
| Marketing consent records | Duration of consent + 1 year | Consent management |
| Website analytics | 26 months | Analytics provider default |
| Contact form submissions | 2 years | Business relationship |
When the retention period expires, data is securely deleted or anonymised. Assessment working papers containing cardholder data or sensitive security findings are subject to PCI SSC data destruction requirements.
9. Your Rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
Access
Request a copy of the personal data we hold about you.
Rectification
Correct inaccurate or incomplete personal data.
Erasure
Request deletion of your personal data where no legal obligation requires retention.
Portability
Receive your data in a structured, machine-readable format.
Restriction
Request that we restrict processing of your data in certain circumstances.
Objection
Object to processing based on legitimate interests or direct marketing.
Notification
Be informed of any data breach that poses a high risk to your rights.
Non-Discrimination
Exercise your rights without receiving discriminatory treatment.
Automated Decisions
Not be subject to decisions based solely on automated processing.
To exercise any of these rights, contact us at privacy@eicsecure.com. We will respond to your request within 30 days. We may request proof of identity before processing your request.
If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.
10. Security Measures
As a cybersecurity and compliance company, we hold ourselves to the highest security standards. We implement the following measures to protect your personal data:
- Encryption — TLS 1.2+ for all data in transit; AES-256 encryption for data at rest
- Access control — role-based access control (RBAC) with multi-factor authentication for all systems
- Infrastructure — AWS hosting with WAF protection, DDoS mitigation, and SOC 2 Type II certified data centres
- Monitoring — 24/7 security monitoring, intrusion detection, and automated alerting
- Staff training — mandatory annual security awareness training for all employees
- Certifications — EIC maintains ISO 27001, ISO 9001, and ISO 14001 certifications for our own operations
- Incident response — documented incident response procedures with defined escalation paths and notification timelines
12. Children’s Privacy
Our services are directed at businesses and professionals, not individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take immediate steps to delete it.
If you believe a child has provided us with personal data, please contact us at privacy@eicsecure.com.
13. Changes to This Policy
We review this policy annually and may update it to reflect changes in our practices, services, or applicable laws. When we make material changes, we will:
- Update the “Effective Date” and “Version” at the top of this page
- Notify active clients via email where changes materially affect their data processing
- Post a notice on our website for a minimum of 30 days
This policy was last updated on 1 January 2025 (Version 2.1). The next scheduled review is January 2026.