PRIVACY POLICY
DSI Advisory Services (operated by CM & Co Consulting Group AB, Org.nr 559402-7699, Sweden) is the data controller for personal data processed through digitalsecurityinsights.com. This notice describes how we collect, use, and protect that data under the GDPR.
Last updated: 1 July 2026
1. Data we collect
Account data — your name and email address — when you create a free DSI account using a magic sign-in link or Google Sign-In, used to identify you and to sync your access and learning progress across devices.
DSI Academy learning progress (lessons completed, practice answers, readiness and spaced-repetition state) stored against your account when you are signed in. When you are not signed in, this stays only in your own browser and is never sent to us.
A free-reading count kept locally in your browser (localStorage) to operate the free-article allowance before sign-up. This is not transmitted to us.
Newsletter email and (optionally) role and organisation, when you sign up for the newsletter.
Contact form submissions (name, organisation, email, engagement type, message), when you reach out via the website.
NIS2 Self-Assessment Scorecard submissions (sector, maturity scores, contact details, free-text context), when you complete the tool.
NIS2 Scope Assessment submissions (sector, size, lead contact details), when you complete the scope tool.
Server logs containing hashed IP address and user agent for rate-limiting and abuse prevention.
Anonymous, aggregated usage analytics via self-hosted Umami. No third-party tracking pixels.
2. Legal basis
Performance of a service you requested (Article 6(1)(b) GDPR) for creating and operating your DSI account and the DSI Academy, and for paid engagements.
Legitimate interest (Article 6(1)(f)) for newsletter operations, account and server-log security, and analytics.
Consent (Article 6(1)(a)) for marketing communications beyond transactional emails. You can withdraw consent at any time.
3. Retention
Account and DSI Academy learning progress: kept while your account is active, and deleted when you ask us to close your account.
Subscriber records: kept for the active life of the subscription plus 24 months after unsubscribe, then deleted.
Scorecard and scope assessment submissions: kept for 24 months for benchmarking, then automatically deleted unless you have requested earlier deletion.
Contact form messages: kept for 24 months for follow-up and audit purposes.
Server logs: 30 days.
4. Sub-processors
Resend (transactional and sign-in email delivery) — EU/US, GDPR-compliant.
Google (Google Sign-In / OAuth) — US, under the EU-US Data Privacy Framework; used only if you choose to sign in with Google, to confirm your name and email.
Railway (application hosting) — EU/US, GDPR-compliant.
Postgres database provider (managed via Railway) — stores account and learning-progress data.
Umami (self-hosted analytics, no external transfer).
5. Your rights
Right of access to your personal data.
Right to rectification of inaccurate data.
Right to erasure (the right to be forgotten).
Right to data portability.
Right to restrict or object to processing.
Right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).
6. International transfers
Some sub-processors operate in the United States. Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses and sub-processor compliance with the EU-US Data Privacy Framework.
7. Security
All traffic is encrypted via HTTPS with HSTS preload. Authentication sessions use HttpOnly, Secure, SameSite=Lax cookies. Application secrets are environment-variable scoped and rotated periodically. We do not retain unhashed IP addresses or passwords.
8. Changes to this policy
Material changes will be announced via the newsletter and updated on this page with a new revision date.
Data Protection Contact
For any privacy request, including access, deletion, or complaint, contact: