This Privacy Notice (“Notice”) is issued by PT ITSEC Asia Tbk on behalf of the ITSEC Group (referring to PT ITSEC Asia Tbk, our affiliates and/or subsidiaries) (hereinafter referred as “ITSEC”, “we”, “us”, or “our”).

ITSEC offers IntelliBroń, a comprehensive cybersecurity solution suite consisting of three integrated applications: IntelliBroń Orion (an XDR platform), IntelliBroń Threat Intel (a threat intelligence platform), and IntelliBroń Aman (a DNS-over-HTTPS mobile application). While IntelliBroń is fundamentally designed to minimize Personal Data requirements, we may need to collect Personal Data to optimize service delivery, enable Managed Security Service Provider (“MSSP”) operations, facilitate partner integrations, and support marketing activities. This Notice serves as part of our disclosure regarding the processing of your Personal Data, ensuring compliance with applicable data protection laws and regulations, including but not limited to Law No. 27 of 2022 concerning Personal Data Protection ("PDP Law") and its implementing regulations, while fostering a culture of transparency and accountability.

By continuing the use of IntelliBroń and/or engaging in any business with us related to IntelliBroń, you acknowledge that (i) the Personal Data you provide is accurate and legitimate; (ii) you have been informed of, and understand, the provisions of this Notice; and (iii) you have given your valid and explicit consent for the processing of your Personal Data by us for the purposes outlined in this Notice without any duress. This includes consent for data processing required for MSSP monitoring services, partner operations, and system functionality across all IntelliBroń applications. In instances where you provide Personal Data relating to another individual or entity, you represent and warrant that you have obtained the necessary consent from that individual or entity, and hereby agree on their behalf to the processing of their Personal Data by us. If you do not agree to the terms or conditions of this Notice, you must immediately discontinue using the products and services we offer.

This Notice applies to all data subjects whose Personal Data is collected or processed by ITSEC, including users, clients, partners, vendors, and authorized personnel.

The Personal Data we collect varies depending on which IntelliBroń application you use and your role in the service delivery chain. For IntelliBroń Aman users, minimal data collection focuses on basic functionality. For IntelliBroń Orion and Threat Intel, additional data may be required to support MSSP operations, threat analysis, and partner integrations for effective security monitoring services. All Personal Data processing activities are conducted in accordance with the principles of lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability, as set forth under the PDP Law.

ITSEC ensures that all collection and use of Personal Data is strictly limited to what is necessary and relevant to fulfill specific, clearly defined purposes. We do not collect or process any data that is excessive or unrelated to the services we provide. We may also combine data obtained from the aforementioned sources with other data in our possession.

For clients utilizing MSSP services through IntelliBroń Orion, Personal Data may also be collected automatically through security monitoring activities, network traffic analysis, and incident response procedures. This data is processed in coordination with our authorized partners who provide MSSP services on our behalf.

Notwithstanding the above, ITSEC is committed to collecting and processing your Personal Data only to the minimum extent necessary to provide services to you and achieve specific, legitimate purposes as mandated by the PDP Law. When you use IntelliBroń features, we will inform you of the data we require and the reasons for its collection. We will not collect excessive or irrelevant Personal Data beyond the scope of use herein.  

ITSEC may process Personal Data without consent where necessary to fulfil a contract, comply with legal obligations, or pursue our legitimate interests. Any such processing will be carried out in accordance with the PDP Law and will not infringe on your rights.

ITSEC is committed to protecting the Personal Data of children and disabled individuals, in line with the PDP Law. For children, verifiable parental or guardian consent will be obtained before collecting or processing their Personal Data, with strict safeguards like encryption and restricted access. Disabled individuals will receive accessible documents and support to exercise their data rights.

We are committed to ensuring that the Personal Data we collect, and process is accurate, complete, and up to date. We recognize that accurate Personal Data is essential for providing effective services and maintaining trust.

We encourage you to inform us of any changes to your Personal Data. We will provide clear channels for you to update your information easily and will regularly review our data records to ensure they remain current.

We are dedicated to maintaining the security of Personal Data through appropriate technical and organizational measures. This includes implementing security protocols to protect against unauthorized access, loss, or misuse of the Personal Data. 

Access to Personal Data is restricted to authorized personnel only, ensuring that data is handled by individuals who require it for their job functions.

Given the sensitive nature of cybersecurity data processed through IntelliBroń Orion and Threat Intel, we implement additional security measures including encrypted data transmission, secure partner access protocols, and segregated data processing environments to protect both client security data and Personal Data.

To enhance privacy protection, ITSEC will anonymize or pseudonymize certain Personal Data as deemed necessary. Anonymized data cannot be linked back to you, ensuring your privacy.

While we strive to protect Personal Data with the highest standards of security, we cannot guarantee absolute security against all potential threats. You are aware that no system is entirely immune to risks; any transmission of your Personal Data to us through the internet shall be at your own risk.

We may share Personal Data with third parties when necessary to fulfil our services, comply with legal obligations, or protect the rights and safety of our organization, our customers, or others. We will only share Personal Data with trusted third parties who provide sufficient guarantees regarding their ability to implement appropriate data protection measures, should such sharing be necessary. Any sharing of Personal Data will comply with the PDP Law, ensuring that your rights are protected.

For IntelliBroń Orion services, we may share Personal Data with authorized MSSPs who provide security monitoring services on our behalf. These partners are contractually bound to maintain the same level of data protection and are authorized to process Personal Data solely for the purpose of delivering cybersecurity services to our clients.

Your Personal Data may be shared among companies within ITSEC to facilitate collaboration and enhance service delivery. This sharing is conducted under strict internal protocols to ensure the protection of your Personal Data.

We may share Personal Data with third-party processors outside of our group when necessary for MSSP operations, threat intelligence analysis, or technical service delivery. However, we prioritize keeping Personal Data processing within our trusted network of authorized partners and group companies, with all external sharing subject to strict contractual data protection requirements.

We may transfer your Personal Data to other Personal Data Controllers and/or Personal Data Processors (i.e. Data Importer) outside the jurisdiction of the Republic of Indonesia in accordance with the provisions stipulated under the PDP Law.

Cross-border data transfers may be necessary for threat intelligence sharing, global MSSP operations, or when utilizing international cybersecurity databases and threat feeds through IntelliBroń Orion and Threat Intel platforms.

Prior to the transfer, we will obtain your approval and verify the accuracy and conformity of the Personal Data with the purpose of acquiring, collecting and processing the said Personal Data.

In addition to the above, we will also be in coordination with the Ministry of Communication and Digital Affairs (“Kemkomdigi”) through these means: (i) submitting reports on the implementation plan for the Personal Data transfer, which at least specifies the explicit name of destination country, the explicit name of the recipient, the date of implementation, and the reason/objective of the transfer (known as Plan Report); (ii) asks for advocacy to the Kemkomdigi, if necessary; and (iii) reporting the implementation results of the Personal Data transfer (known as Realization Report) to the Kemkomdigi;

In conducting the overseas transfer of Personal Data from the jurisdiction of the Republic of Indonesia to outside the jurisdiction of the Republic of Indonesia, we will ensure that the country of domicile of the Personal Data Controller and/or the Personal Data Processor that receives the transfer of Personal Data has a Personal Data Protection level that is equal to or higher than those that are regulated under the PDP Law.

In the event that the above is not fulfilled, we will ensure that there is an adequate and binding Personal Data Protection (e.g., standard contractual clause).

However, in the event that the above minimum required standards are not fulfilled, we will first obtain your prior approval.

We will only retain Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain Personal Data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

For cybersecurity-related data processed through IntelliBroń Orion and Threat Intel, retention periods may be extended to comply with security incident investigation requirements, threat intelligence analysis needs, and regulatory obligations specific to cybersecurity services.

To determine the appropriate retention period for Personal Data, we shall consider the amount, nature and sensitivity of the Personal Data, the potential risk of harm from unauthorised use or disclosure of the Personal Data, the purposes for which we process the Personal Data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of Personal Data shall be able to be obtained through written request to our Personal Data Protection Contact, whose contact details are provided in Section 10 of this Notice.

In regard to your Personal Data as held and processed by us, the PDP Law grants you the following rights as a Data Subject to:

You may exercise any of the above rights by submitting a request to our Personal Data Protection Contact. Contact details are available in Section 10 of this Notice.

We may require reasonable steps to verify your identity prior to fulfilling any data-related request to prevent unauthorised access or disclosure. Please note that certain rights may be limited in cases where disclosure could interfere with legal obligations, cybersecurity incident response, or other overriding legitimate interests.

We shall provide you with our reactive responses within 3x24 (three times twenty-four) hours from the time we receive a request for any of the following:

Please note that for requests related to cybersecurity data processed through IntelliBroń Orion and Threat Intel, additional verification procedures may be required to ensure the security and integrity of ongoing security operations. We will inform you of any such requirements and work to fulfill your request while maintaining the effectiveness of cybersecurity services.

In the event of a Personal Data Protection failure, including security breaches, whether intentional or unintentional, that lead to the destruction, loss, alteration, disclosure, or unauthorized access to Personal Data that has been transmitted, stored, or processed, we will promptly provide notifications to you, no later than 3x24 (three times twenty-four) hours, since the acknowledgment of the Personal Data Protection failure.

For incidents specifically affecting IntelliBroń Orion or Threat Intel platforms that may impact cybersecurity operations, we will also coordinate with relevant MSSPs and clients to ensure continuity of security monitoring services while addressing the Personal Data Protection failure.

ITSEC uses cookies and similar tracking technologies across IntelliBroń applications and internal systems to improve functionality, monitor performance, and enhance user experience. For IntelliBroń Aman, cookies may be used for DNS request optimization and app functionality. For IntelliBroń Orion and Threat Intel, cookies support secure access, session management, and security analytics functionality for MSSP operations.

These cookies may collect technical information such as device identifiers, usage data, and system performance metrics. Users of IntelliBroń applications are informed of cookie usage through this Notice, and consent is obtained as part of the application setup or continued usage. MSSPs and authorized personnel accessing Orion and Threat Intel platforms are similarly informed of cookie usage for operational purposes.

Cookie settings can be managed through individual browser settings or application preferences where available, though disabling cookies may impact system functionality and security monitoring capabilities. ITSEC ensures all cookie usage complies with Personal Data Protection requirements and maintains the security standards necessary for cybersecurity operations.