Privacy Policy

7Camber Privacy Policy

Version: 2.2

Last updated: 14/01/2026

1. Who we are

This Privacy Policy explains how 7Camber Ltd (“7Camber”, “we”, “us”) handles personal data.

Controller contact details

Legal name 7Camber Ltd
Address7Camber, 170 Pater House, Psaila Street, Birkirkara, BKR 9077, Malta
General contact info@7camber.com
Phone 00356 2759 5000

If you are contacting us about a rights request (access, deletion, etc.), please use the general email above.

2. What this policy covers

This policy covers personal data we handle when:

  1. We deliver penetration testing / security testing services for our clients; and
  2. You interact with us directly (as business contact, supplier, or website visitor).

Our role during penetration tests:

In most client engagements, 7Camber acts as a processor (or sub-processor) and our client (or our client’s customer) is the controller. That means the controller is responsible for telling data subjects how their data is used in the client environment. We only process data on documented instructions and only for the agreed testing and reporting scope.

3. Personal data we may process

3.1. Business contact and relationship data

We may process:

  • Name, job title, employer, business email, business phone
  • Communication content (emails, meeting notes)
  • Contract and billing details (invoice references, payment status)

3.2. Data incidentally accessed during penetration tests

Penetration testing can involve incidental access to data in the systems being tested.

We do not seek to collect personal data during testing. Where personal data appears in evidence (screenshots/snippets), we minimise and redact wherever possible.

3.3. Website technical data

If you visit our website, we may process:

  • IP address, device/browser information
  • Basic usage and security logs (e.g., to detect abuse)
  • Personal contact data you provide us with in contact forms

4. Why we process personal data and our legal bases

4.1 Delivering penetration testing services

Purpose: planning and coordination, access arrangements, performing testing, producing and delivering reports, and handling follow-up questions/remediation support.

Legal basis (where 7Camber is controller for the relationship data): performance of a contract (Article 6(1)(b)) and/or legitimate interests (Article 6(1)(f)) in delivering and documenting professional security services.

Where we act as processor: the controller determines the legal basis, we process only on instructions under our contract.

4.2 Managing our business

Purpose: quoting, contracting, invoicing, payment, recordkeeping, auditability, and dealing with disputes/claims.

Legal basis: performance of a contract (Article 6(1)(b)), legal obligation (Article 6(1)(c)).

4.3 Marketing

If we send marketing communications, we will do so in line with applicable ePrivacy rules.

Legal basis: consent (where required) or legitimate interests (where permitted), with an easy opt-out.

5. Special category data

We do not request or aim to process special category data (e.g., health data).

6. Who we share personal data with

We may share personal data with:

  • Suppliers/subcontractors used to support delivery (only where necessary, subject to mandatory agreements)
  • Authorities where we are legally required to disclose

We do not sell personal data.

7. Subcontractors and “sub-processors”

For client engagements, we may use subcontractors for specific tasks. Where subcontractors may access personal data:

  • we put written contractual obligations in place,
  • we restrict access to what is necessary

If a client contract requires prior notice/approval of subcontractors, we follow that process.

8. International transfers (outside the EEA)

If personal data is accessed from or transferred to a country outside the EEA, we use appropriate safeguards as required by GDPR Chapter V. Standard contractual clauses are the tool we use most often. Where the destination country is outside of the EEA and is not deemed to provide the level of protection of personal data equivalent to that of the GDPR, we conduct a Transfer Impact Assessment.

We keep personal data only as long as necessary for the purposes in this policy:

  1. Engagement coordination and delivery records kept for the duration of the engagement and a limited period after completion to handle follow-up questions, confirm scope/delivery, and defend legal claims.
  2. Reports and supporting evidence retained for the period agreed with the client and/or needed for legal/accountability reasons. Where possible, we retain redacted versions and delete raw materials sooner.

Exact retention periods can vary by engagement and are defined in the relevant service agreement and/or data processing terms.

10. Security measures

We apply technical and organisational measures appropriate to the risk, including:

  • access controls and least-privilege access,
  • MFA for administrative access,
  • secure storage and controlled sharing of deliverables,

11. Your rights

Where 7Camber is a controller for your personal data (for example, if you are a business contact, supplier, or website visitor), you may have the right to:

  1. access your data,
  2. rectify inaccurate data,
  3. request deletion,
  4. restrict processing,
  5. object to processing (especially where based on legitimate interests),
  6. data portability (where applicable),
  7. withdraw consent (where processing is based on consent).

If your data is in a client system we are testing, the controller is our client (or our client’s customer). In that case, please direct requests to the controller. We will assist the controller where required.

12. Complaints

If you are unhappy with how we handle personal data, please contact us at the email address specified at the top of the Policy so we can address the issue.

You also have the right to complain to your local supervisory authority in the EEA. If you are in Malta, this is the Office of the Information and Data Protection Commissioner (IDPC).

13. Changes to this policy

We may update this policy from time to time. We will publish the latest version on our website and update the “Last updated” date above.

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by