When you use Qyli Cyber to train your team, you decide whose data is processed and why, so you are the data controller and Qyli Ltd is your data processor. This page summarises how we process that data on your behalf. If you need a signed Data Processing Agreement for your records, email us.
What we process, and for whom
| Subject matter | Providing cyber awareness training and simulated phishing on your instruction. |
|---|---|
| Duration | For as long as your account is active. |
| Data subjects | The staff, pupils or other members you invite. |
| Data categories | Names, email addresses, training scores and completion, and simulated-phishing open/click events. |
Our commitments
- We process this data only on your documented instructions, to provide the service.
- We apply appropriate technical and organisational security measures, including access controls and encryption in transit.
- People with access to the data are bound by confidentiality.
- We notify you without undue delay if we become aware of a personal data breach affecting your data.
- On request or account closure, we delete or return the data, subject to any legal retention requirements.
Sub-processors
We use the following sub-processors to deliver the service:
- Supabase — database and authentication.
- Cloudflare — hosting and content delivery.
- Stripe — payment processing (billing contact only).
- Resend — sending invitation and training emails.
- Anthropic — AI used to configure scenarios.
International transfers
Where a sub-processor processes data outside the UK, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or addendum to the EU Standard Contractual Clauses.