HomePrivacy Policy

Privacy Policy

How EIC Limited collects, uses, protects and shares your personal data across our cybersecurity and compliance services.

Effective: 1 January 2025Version: 2.1Next Review: January 2026

1. Introduction

This Privacy Policy explains how EIC Limited (“EIC”, “we”, “us”, or “our”) collects, uses, stores, and protects personal data when you use our website, services, and technology platforms.

EIC Limited is the data controller responsible for your personal data. Our registered address is:

EIC Limited, House 15, Road 7, Niketan, Gulshan, Dhaka 1212, Bangladesh

This policy applies to all individuals who interact with our services, including clients, prospective clients, website visitors, and individuals whose data we process as part of our compliance and cybersecurity assessment services across 7 countries in Asia-Pacific.


2. Information We Collect

We collect the following categories of personal data:

2.1 Information You Provide Directly

  • Contact information — name, email address, phone number, job title, company name
  • Scoping form data — industry, service interests, compliance requirements
  • Engagement data — contracts, statements of work, assessment questionnaires
  • Communication records — emails, call notes, meeting records related to engagements

2.2 Information Collected Automatically

  • Technical data — IP address, browser type and version, operating system, device type
  • Usage data — pages visited, time on page, referral source, navigation path
  • Cookie data — session identifiers, preference settings (see Section 11)

2.3 Information from Third Parties

  • Professional credentials — PCI SSC assessor directory, CREST membership records
  • Client-provided data — cardholder data environment details, network diagrams, system inventories provided during compliance assessments
Summary of personal data categories collected
CategoryExamplesSource
IdentityName, job titleDirect / Client
ContactEmail, phoneDirect
TechnicalIP, browser, deviceAutomatic
UsagePages visited, timeAutomatic
AssessmentCDE data, network diagramsClient-provided

3. How We Collect Information

We collect personal data through the following channels:

  • Website forms — contact forms, scoping estimate requests, newsletter subscriptions
  • Direct communications — emails, phone calls, video conferences, and in-person meetings
  • Engagement activities — compliance assessments, penetration tests, vulnerability scans, and audit processes
  • Technology platforms — CardIntel, Infiltra, and Complio when used as part of our services
  • Automated technologies — cookies, server logs, and analytics tools when you visit our website


5. How We Use Your Information

We use your personal data for the following purposes:

  • Service delivery — conducting PCI DSS, SWIFT CSP, ISO 27001, CMMI, and other compliance assessments
  • Client communications — responding to enquiries, scheduling scoping calls, sending engagement updates
  • Platform operation — operating CardIntel, Infiltra, and Complio for assessment activities
  • Quality assurance — internal audits, service improvement, and maintaining accreditation standards
  • Legal and regulatory — complying with PCI SSC, CREST, and other accreditation body requirements
  • Marketing — sending compliance newsletters, blog updates, and event invitations (with consent)
  • Website improvement — analysing usage patterns to improve content, navigation, and performance

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.


6. Data Sharing & Disclosure

We may share your personal data with the following categories of recipients:

  • Accreditation bodies — PCI SSC, CREST, SWIFT, CMMI Institute, and ISO certification bodies as required to maintain our credentials and complete assessments
  • Sub-processors — cloud hosting providers (AWS), email service providers, and CRM systems that process data on our behalf under contractual data processing agreements
  • Professional advisors — lawyers, auditors, and insurers where necessary for business operations
  • Legal authorities — government agencies, law enforcement, or regulatory bodies where required by law or to protect our legal rights
  • Client-authorised parties — acquirers, card brands, or regulators when disclosure is required to complete your assessment deliverables

All third-party processors are contractually bound to process data only on our instructions and to implement appropriate security measures. We maintain a register of sub-processors available on request.


7. International Data Transfers

EIC operates across 7 countries in Asia-Pacific: Bangladesh, Singapore, Vietnam, Nepal, Bahrain, Malaysia, and the Philippines. Your personal data may be transferred to and processed in any of these jurisdictions.

Where data is transferred internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) for transfers to jurisdictions without adequacy determinations
  • Data Processing Agreements (DPAs) with all sub-processors that include transfer safeguards
  • Technical measures including encryption in transit (TLS 1.2+) and at rest
  • Access controls ensuring data is only accessible to authorised personnel in the relevant jurisdiction

Singapore’s Personal Data Protection Act (PDPA) and Bangladesh’s Digital Security Act provide the primary regulatory frameworks governing our data processing activities. We also comply with applicable data protection laws in each jurisdiction where we operate.


8. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected:

Data retention periods by category
Data CategoryRetention PeriodReason
Assessment reports (ROC, AOC)7 yearsPCI SSC requirement
Engagement contracts7 years post-completionLegal obligation
Penetration test reports3 yearsAccreditation requirement
Marketing consent recordsDuration of consent + 1 yearConsent management
Website analytics26 monthsAnalytics provider default
Contact form submissions2 yearsBusiness relationship

When the retention period expires, data is securely deleted or anonymised. Assessment working papers containing cardholder data or sensitive security findings are subject to PCI SSC data destruction requirements.


9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Access

Request a copy of the personal data we hold about you.

Rectification

Correct inaccurate or incomplete personal data.

Erasure

Request deletion of your personal data where no legal obligation requires retention.

Portability

Receive your data in a structured, machine-readable format.

Restriction

Request that we restrict processing of your data in certain circumstances.

Objection

Object to processing based on legitimate interests or direct marketing.

Notification

Be informed of any data breach that poses a high risk to your rights.

Non-Discrimination

Exercise your rights without receiving discriminatory treatment.

Automated Decisions

Not be subject to decisions based solely on automated processing.

To exercise any of these rights, contact us at privacy@eicsecure.com. We will respond to your request within 30 days. We may request proof of identity before processing your request.

If you are unsatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.


10. Security Measures

As a cybersecurity and compliance company, we hold ourselves to the highest security standards. We implement the following measures to protect your personal data:

  • Encryption — TLS 1.2+ for all data in transit; AES-256 encryption for data at rest
  • Access control — role-based access control (RBAC) with multi-factor authentication for all systems
  • Infrastructure — AWS hosting with WAF protection, DDoS mitigation, and SOC 2 Type II certified data centres
  • Monitoring — 24/7 security monitoring, intrusion detection, and automated alerting
  • Staff training — mandatory annual security awareness training for all employees
  • Certifications — EIC maintains ISO 27001, ISO 9001, and ISO 14001 certifications for our own operations
  • Incident response — documented incident response procedures with defined escalation paths and notification timelines

11. Cookies & Tracking

Our website uses cookies and similar tracking technologies. The types of cookies we use include:

Cookie types used on our website
TypePurposeDuration
Strictly necessarySite functionality, securitySession
AnalyticsUsage statistics, page performance26 months
PreferenceLanguage, region settings1 year

You can manage cookie preferences through your browser settings. Disabling strictly necessary cookies may affect website functionality. We do not use advertising or cross-site tracking cookies.


12. Children’s Privacy

Our services are directed at businesses and professionals, not individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will take immediate steps to delete it.

If you believe a child has provided us with personal data, please contact us at privacy@eicsecure.com.


13. Changes to This Policy

We review this policy annually and may update it to reflect changes in our practices, services, or applicable laws. When we make material changes, we will:

  • Update the “Effective Date” and “Version” at the top of this page
  • Notify active clients via email where changes materially affect their data processing
  • Post a notice on our website for a minimum of 30 days

This policy was last updated on 1 January 2025 (Version 2.1). The next scheduled review is January 2026.