INTRODUCTION

This Privacy Policy (“Policy”) explains how Turing Tower Inc. (“Turing Tower”, “we”, “us” or “our”) collects, uses, discloses, and processes your Personal Data in connection with your access to and use of our websites, products, services, applications, and tools (collectively, the “Platform”).

Turing Tower Inc. is a cybersecurity company incorporated in the State of Delaware, United States, with operations and users across multiple jurisdictions including Nigeria, the European Union, and the United States.

We are committed to safeguarding your privacy and ensuring the security of your personal data in accordance with applicable data protection laws, including:

• The Nigeria Data Protection Regulation (NDPR),

• The European Union General Data Protection Regulation (GDPR),

• The California Consumer Privacy Act and its amendments (CCPA/CPRA), where applicable.

This Policy outlines the categories of Personal Data we collect, the purposes for which we use such data, the lawful bases for processing, the rights available to you, and the measures we take to protect your information.

By accessing or using our Platform, or otherwise providing us with your Personal Data, you acknowledge that you have read, understood, and agreed to the terms of this Privacy Policy. If you do not agree with any part of this Policy, please discontinue use of the Platform.

Unless otherwise defined herein, capitalized terms used in this Policy shall have the meanings ascribed to them under applicable data protection laws.

DEFINITIONS

For the purpose of this Privacy Policy:

“Personal Data” (also referred to as “Personal Information”) means any information relating to an identified or identifiable natural person, either directly or indirectly. This may include, but is not limited to, your name, contact details, email address, device identifiers, IP address, account login details, and any other data that can reasonably be linked to you.

“Sensitive Personal Data” refers to categories of Personal Data that require a higher level of protection under applicable laws, such as access credentials, security logs, or biometric information (where collected).

“User”, “you”, or “your” refers to any individual who accesses or uses the Platform, including customers, prospective users, administrators, or website visitors.

“Data Controller” means the natural or legal person who determines the purposes and means of processing Personal Data. For individual account users, Turing Tower acts as the Data Controller. For enterprise clients, Turing Tower may act as a Data Processor, depending on the nature of the engagement.

“Data Processor” means a person or entity that processes Personal Data on behalf of the Data Controller.

“Processing” means any operation performed on Personal Data, whether automated or not, including collection, storage, use, disclosure, transfer, or deletion.

“Applicable Laws” means all relevant data protection laws, regulations, and guidelines in force in the jurisdictions in which Turing Tower operates or from which users access the Platform, including NDPR, GDPR, and CCPA.

“Platform” refers collectively to the Turing Tower suite of cybersecurity solutions, including its web applications, tools, APIs, and integrations such as Turing Scanner, Crudguard, and the Core Risk Engine.

THE INFORMATION WE COLLECT

We collect and process various categories of Personal Data to operate, secure, and improve the Turing Tower Platform. These include the following:

1. Information You Provide to Us

This includes Personal Data voluntarily submitted when:

• Creating an account or subscribing to our services;

• Filling out registration or contact forms;

• Communicating with our team (e.g., via support requests, emails, or surveys);

• Participating in product demos, onboarding, or due diligence processes.

Examples of such data may include:

• Full name, email address, phone number(s);

• Job title, organization name, or professional role;

• Country of residence or work, and other identifying or contact information;

• Authentication credentials (e.g., username, password, or MFA data, if provided by user).

2. Information Collected Automatically

When you access or interact with our Platform, we may automatically collect certain technical and usage-related data, such as:

• Device and browser information (e.g., type, model, OS, browser version);

• Internet Protocol (IP) address and geolocation (if enabled);

• Access times, clickstream data, referral URLs, and page interaction metrics;

• Log-in times, session duration, and activity logs.

We use cookies, server logs, and similar technologies to collect this information. See our Cookie Policy for more details.

3. Data Processed Through Platform Use

In the course of using Turing Tower products including Turing Scanner, Crudguard, and the Core Risk Engine, we collect operational and security related data, such as:

• System logs (e.g., web server, network, and infrastructure logs);

• Database activity logs (e.g., query history, access events, privilege changes);

• Scan configurations (e.g., IP ranges, ports, depth, credentials where applicable);

• Scan results (e.g., vulnerabilities, outdated libraries, misconfigurations);

• Security alerts, detection patterns, anomaly scores;

• User metadata (e.g., admin actions, login records, in-platform responses);

• Audit trails and integration metadata with third-party SIEM/SOC tools.

This data may relate to end users, clients, or infrastructure managed by our enterprise customers. Where applicable, we act as a Data Processor on behalf of those clients.

4. Information Received from Third Parties

Where permitted by law or with your consent, we may receive additional data about you from:

• Identity verification services or KYC partners;

• Payment processors and financial institutions;

• Cloud service providers or analytics platforms;

• Your employer or enterprise administrator (in case of enterprise deployments).

Such data may be used to supplement our records, enhance security, or fulfill contractual obligations.

PURPOSES FOR WHICH WE COLLECT AND PROCESS YOUR DATA

We collect and process Personal Data for the following legitimate business and legal purposes:

A. Provide and Operate the Platform

• To create, authenticate, and manage your account;

• To deliver core services, including vulnerability scanning, log analytics, and threat detection;

• To configure scan targets, receive alerts, and manage integrations with third-party tools.

B. To Personalize and Improve User Experience

• To understand how users interact with our products and services;

• To optimize navigation, user flows, dashboards, and recommendations;

• To tailor content, notifications, and support interactions to your preferences.

C. For Security and Compliance Purposes

• To detect and prevent unauthorized access, abuse, or fraud;

• To monitor infrastructure and respond to anomalies, breaches, or internal misuse;

• To comply with applicable legal and regulatory obligations, including data security laws and audit requirements;

• To maintain logs for auditability, investigation, and internal governance.

D. For Communication and Support

• To respond to user inquiries, support tickets, and service-related requests;

• To send important updates regarding system performance, planned maintenance, or legal notices;

• To deliver newsletters, promotional offers, or product announcements (where lawful and with opt-out options).

E. For Research, Analytics, and Service Enhancement

• To analyze trends, usage data, and performance metrics;

• To conduct internal research and diagnostics for platform stability and reliability;

• To identify, fix, and prevent bugs, vulnerabilities, or service errors.

F. To Fulfill Contractual and Legal Obligations

• To comply with contractual obligations owed to our customers and partners;

• To fulfill obligations under applicable data protection laws;

• To respond to lawful requests from regulators, law enforcement, or courts.
  
  
  

LEGAL BASIS FOR PROCESSING PERSONAL DATA

Turing Tower processes Personal Data in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), Nigeria Data Protection Regulation (NDPR), and, where applicable, the California Consumer Privacy Act (CCPA/CPRA). Depending on the context of the interaction and the jurisdiction, the legal bases for our processing activities include the following:

1. Performance of a Contract: We process your Personal Data to perform our contractual obligations to you or your organization, including the provision of our Platform and related services.
   
   

2. Consent: Where required by law, we may request your explicit consent to process certain categories of Personal Data, such as for: Sending marketing communications; Collecting optional tracking data (e.g., cookies or analytics); Using third-party integrations or enabling log ingestion.

You may withdraw your consent at any time without affecting the lawfulness of prior processing.

3. Legitimate Interests: We may process Personal Data for the purposes of our legitimate business interests, provided such interests are not overridden by your rights or interests. These may include: Preventing fraud, misuse, or unauthorized access; Monitoring and improving the performance of our Platform; Conducting internal audits, diagnostics, and service optimization.
   
   

4. Compliance with Legal Obligations: We may process Personal Data as required to comply with applicable laws, regulatory inquiries, court orders, or law enforcement investigations, including obligations relating to data protection, cybersecurity, and financial transparency.
   
   

5. Vital Interests or Public Interest (Where Applicable): In rare circumstances, we may process data to protect the vital interests of a user or comply with public interest mandates, such as responding to threats, breach incidents, or data security risks affecting other users.
   
   
   

SHARING YOUR INFORMATION WITH THIRD PARTIES

We do not sell your Personal Data. However, we may share or disclose your information with trusted third parties where necessary for the operation of the Platform, compliance with legal obligations, or based on your instructions.

The categories of third parties with whom we may share Personal Data include:

1. Technology and Infrastructure Partners: We may share data with cloud service providers, hosting platforms, or infrastructure vendors to support secure storage, availability, and delivery of our services. This includes: Cloud hosting (e.g., Amazon Web Services, Azure, etc.); Content delivery networks (CDNs); Encryption key management and backup systems.
   
   

2. Security and Monitoring Integrations: Our platform integrates with third-party Security Information and Event Management (SIEM) tools and Security Operations Centers (SOCs) to enable centralized log analysis, incident response, and alerting. Such integrations are: Client-controlled and opt-in; Subject to technical vetting and data protection agreements (DPAs); Limited to metadata, detection tags, and alert payloads as needed.
   
   

3. Enterprise and Support Service Providers: We may disclose data to third parties who assist us in providing business operations, including: Identity verification services; Technical support platforms; Payment processors (if applicable); Customer communication tools (e.g., email or notification services).
   
   

4. Professional Advisors and Legal Authorities: We may disclose data to: Legal counsel, auditors, and consultants for compliance and dispute resolution; Law enforcement, regulators, or courts where required by applicable law or binding order and; Tax authorities or financial regulators, where applicable.
   
   

5. Affiliates and Subsidiaries: We may share data within the Turing Tower group or affiliated entities, provided such entities are bound by similar confidentiality and data protection obligations.

All third-party access is governed by strict confidentiality requirements and technical safeguards, including: Data Processing Agreements (DPAs); Minimum necessary data-sharing principles; and Ongoing monitoring and due diligence.

We do not permit our third-party partners to use Personal Data for their own marketing or unrelated purposes without your explicit consent.

INTERNATIONAL TRANSFER OF PERSONAL DATA 

As a globally operating company, Turing Tower may transfer and process your Personal Data in jurisdictions outside of your country of residence, including the United States, Nigeria, and other regions where we or our service providers maintain facilities or servers.

These transfers may be necessary to:

• Deliver our services to international users;

• Support global infrastructure and hosting environments;

• Facilitate third-party integrations, security monitoring, or backup systems;

• Comply with cross-border legal obligations and business requirements.
  
  

1. Safeguards for International Transfers: Where Personal Data is transferred across borders, we implement appropriate safeguards to ensure your data is treated securely and in accordance with applicable data protection laws, including:

• Standard Contractual Clauses (SCCs) approved by relevant data protection authorities;

• Binding Corporate Rules (where applicable);

• Data Protection Agreements (DPAs) with third-party processors;

• Verification that receiving countries maintain adequate data protection regimes (e.g., NITDA White List for Nigeria or EU adequacy decisions).
  
  

2. User Rights and Additional Information: We ensure that such transfers do not override your privacy rights or reduce the level of protection your data receives under the Applicable Laws. 

If you require more information about our cross-border data transfer mechanisms or a copy of the applicable contractual safeguards, you may contact us at: kaizen@technologyandx.com.

 YOUR RIGHTS AS A DATA SUBJECT OR USER

By providing us with your personal information, you have certain rights in accordance with the provisions of the Nigeria Data Protection Regulation which include:

1. the right to request for your personal data in our possession, 

2. the right to object to the processing of your personal data,

3. the right to request rectification and modification of Personal Information which we keep,

4. the right to request for the deletion of your personal data in our possession. To exercise any of the rights listed here, please contact us through the details provided below,

5. the right to restrict or limit processing of your data in certain contexts,

6. the right to withdraw consent to data processing (where consent is the lawful basis); and

7. the right to Lodge a Complaint

8. the right to lodge a complaint with the relevant supervisory authority in your jurisdiction,
   
   

Special Note for Enterprise Clients:

Where Turing Tower acts as a Data Processor on behalf of an enterprise customer (e.g., in hosted deployments), requests to access, delete, or modify Personal Data should be directed to your organization’s system administrator or data controller.

All valid requests will be reviewed and processed within 30 days, subject to verification and legal/regulatory limitations. We may request additional information to confirm your identity or clarify the scope of your request. To exercise any of your rights, please contact: kaizen@technologyandx.com 

DATA PROTECTION AND PRIVACY

We retain Personal Data only for as long as is necessary to fulfill the purposes for which it was collected, including:

• The provision of our services;

• Compliance with legal, regulatory, or contractual obligations;

• Internal business operations, including security, backup, and auditing;

• The establishment, exercise, or defense of legal claims.
  
  

1. Retention Periods: The specific retention period for each category of Personal Data may vary depending on:

• The nature of the data and the purpose for which it was collected;

• The existence of ongoing service relationships or contractual arrangements;

• Legal or regulatory retention obligations (e.g., tax, financial, or audit records);

• Whether a deletion request has been submitted and lawfully granted.

Where applicable and lawful, we will securely delete or anonymize Personal Data once the relevant purpose has been fulfilled or upon expiry of the applicable retention period.

2. Periodic Reviews and Deletion: We conduct regular reviews of the data in our possession to assess:

• Whether the data remains accurate and up to date;

• Whether retention is still necessary or lawful;

• Whether the data can be securely deleted or anonymized.

If a deletion request is received and there is no overriding legal or contractual obligation to retain the data, we will comply with such a request in accordance with applicable data protection laws.

3. Backup and Archival: Please note that even where deletion is carried out, data may persist in secure backups for a limited period (not exceeding 90 days) solely for disaster recovery or business continuity purposes.

Export Requests: You may also request a copy of your Personal Data in a commonly used format (e.g., CSV, JSON) prior to deletion, subject to identity verification and system compatibility.

DATA SECURITY AND PROTECTION MEASURES

We are committed to safeguarding the confidentiality, integrity, and availability of your Personal Data. Turing Tower implements industry-grade technical and organizational security measures to protect Personal Data from unauthorized access, loss, misuse, disclosure, alteration, or destruction.

1. Technical Security Controls: The following controls are applied across our infrastructure and product suite:

   • AES-256 encryption for data at rest; TLS 1.2+ encryption for data in transit.

   • Role-Based Access Control (RBAC), Multi-Factor Authentication (MFA), and IP-based access restrictions.

   • Real-time log ingestion, regex-based anomaly detection, and alerting.

   • Network segmentation, firewalls, endpoint protection, and periodic penetration testing.

   • Secure software development practices with peer reviews and static code analysis.
     
     

2. Organizational Safeguards: We also implement internal policies and controls to ensure responsible data management, including:

   • Employee access is limited on a “need-to-know” basis.

   • All staff undergo periodic training on data protection and security protocols.

   • A formal Information Security Policy governs how we handle all categories of data.

   • Regular audits and reviews are conducted to assess system resilience and compliance.
     
     

3. Data Breach Response: In the event of a data breach or suspected compromise, we will:

• Investigate and contain the breach;

• Notify affected users and the relevant data protection authorities within 72 hours, where legally required.

• Take corrective measures to prevent recurrence;

• Maintain audit trails and documentation to support accountability.

• We have a documented Data Breach Response Plan and routinely test our response procedures to ensure rapid remediation.

4. User Responsibilities: While we take security seriously, users also play a critical role in maintaining the security of their data. You are responsible for:

   • Keeping login credentials confidential;

   • Using strong, unique passwords;

   • Notifying us immediately if you believe your account has been compromised.
     
     

COOKIES AND TRACKING TECHNOLOGIES

Turing Tower uses cookies and similar tracking technologies to enhance user experience, support platform functionality, and analyze user behavior.

Cookies are small text files stored on your device when you visit a website. They help us recognize your browser or device, remember preferences, and improve the security and usability of our services.

1. Types of Cookies We Use
   We may use the following categories of cookies:

   • Strictly Necessary Cookies: Required for the operation of our Platform, such as enabling user login, session management, or system security.

   • Performance and Analytics Cookies: Help us understand how users interact with the Platform (e.g., pages visited, features used), allowing us to optimize performance and  troubleshoot issues.

   • Functionality Cookies: Allow the Platform to remember user choices (e.g., language, region, display settings) to enhance your experience.

   • Third-Party Cookies: Set by trusted partners (e.g., cloud platforms, analytics providers, or support chat services) to facilitate integration or support services. These providers are contractually bound to protect your data and not use it for unrelated purposes.
     
     

2. Your Choices and Controls
   You may control or disable cookies at any time through:

   • Your browser settings (e.g., to block or delete cookies);

   • Cookie consent banners or settings available on our website (where applicable).

   Please note that disabling certain cookies may affect the functionality and security of the Platform.
   
   

3. No Use of Tracking for Cross-Site Behavioral Advertising
   We do not use cookies to engage in third-party behavioral advertising or to build cross-site profiles for commercial resale. We prioritize security and functionality above ad-based tracking.

LINKS TO THIRD-PARTY WEBSITES OR SERVICES

Our Platform may contain links to third-party websites, services, tools, or applications (“Third-Party Sites”) that are not owned or operated by Turing Tower.

These Third-Party Sites may have their own privacy policies and data collection practices, which are independent of this Privacy Policy. We are not responsible for the content, data handling, or privacy practices of such external websites or services.

1. No Endorsement or Control: The inclusion of a link to any Third-Party Site does not imply endorsement or recommendation by Turing Tower. We do not control these third parties and are not responsible for how they process your Personal Data.
   
   

2. User Caution Advised: We strongly encourage you to review the privacy policies and terms of use of any Third-Party Site before submitting your Personal Data to them.
   
   
   

CHANGES AND UPDATES TO THIS PRIVACY POLICY

We may revise or update this Privacy Policy from time to time to reflect changes in our services, applicable laws, technological developments, or data processing practices.

1. Notification of Changes

When changes are made, we will:

• Post the updated version of the Privacy Policy on our website;

• Update the “Last Updated” date at the top or bottom of the policy;

• Provide additional notice via email or platform notification (where required by law or at our discretion).

2. User Responsibility

We encourage you to periodically review this Privacy Policy to stay informed about how we collect, use, and protect your Personal Data. Your continued use of the Platform following the publication of an updated Privacy Policy constitutes your acceptance of the revised terms, except where such acceptance is legally required to be obtained afresh.

CONTACT INFORMATION

If you have any questions, concerns, or requests regarding this Privacy Policy, your Personal Data, or your data protection rights, you may contact us using the details below:

Data Protection Officer (DPO)

Email: kaizen@technologyandx.com 

1. Response Timeline: We will respond to verified data privacy requests within 30 days, or as required under applicable data protection laws. If your request is particularly complex or requires additional time, we will notify you accordingly.
   
   

2. Identity Verification: For your protection, we may require verification of your identity before fulfilling certain privacy-related requests (e.g., access, deletion, or export).
   
   

3. Regulatory Escalation: If you believe your rights under applicable data protection laws have been violated, you also have the right to file a complaint with the appropriate supervisory authority in your jurisdiction.