Privacy Statement

1. Who We Are

Hercules Suite Limited (“Hercules”, “we”, “us”, or “our”) is a cybersecurity company that operates the Hercules Suite, a cloud-based platform for Business Email Compromise (BEC) simulation, phishing awareness training, and human-risk measurement. We are incorporated and operate under Nigerian law.

For the purposes of applicable data protection legislation, Hercules Suite Limited acts as a data processor on behalf of our customers, who are the data controllers. Our customers are the organisations that use Hercules to run security awareness programs for their employees.

Contact: support@herculessuite.io

2. Scope of This Statement

This Privacy Statement explains how Hercules Suite Limited collects, uses, stores, shares, and protects personal data when you:

• Visit our website or marketing pages at herculessuite.io.
• Register for or use the Hercules Suite dashboard as a tenant administrator.
• Participate in a phishing simulation or security awareness training program administered by your employer through Hercules.
• Contact us for sales, support, or partnership inquiries.

This statement does not cover third-party websites or services that may be linked from our platform. We are not responsible for the privacy practices of those services.

3. Data We Collect

We collect data in the following categories:

4. How We Use Your Data

We use the data we collect for the following purposes:

• Service delivery: provisioning tenant accounts, running phishing simulation campaigns, delivering in-context awareness training, and generating compliance and risk reports.
• Security and abuse prevention: detecting and preventing misuse, enforcing our Acceptable Use Policy, maintaining audit logs of tenant and administrative actions, and responding to security incidents.
• Platform operations: monitoring system health, diagnosing failures, improving reliability, and planning capacity.
• Billing and account management: processing subscription payments, issuing invoices, and managing tenant account lifecycle.
• Legal compliance: meeting obligations under the Nigeria Data Protection Act 2023 (NDPA), the Nigeria Data Protection Regulation (NDPR), and other applicable law.
• Customer communications: responding to support requests and sending material service notices. We do not send marketing emails without your explicit consent.

We do not sell, rent, or trade personal data to third parties for their own marketing or commercial purposes. We do not use employee simulation data to build behavioural profiles outside the scope of the contracted security awareness service.

5. Legal Basis for Processing

For personal data processed on behalf of tenant-controllers, the lawful basis is determined by the controller. Hercules processes that data under its contract with the controller (the Data Processing Agreement) and does not determine the lawful basis independently.

For data Hercules processes as a controller (account data, website logs, and communications), the applicable legal bases are:

• Contract performance: processing necessary to provide the agreed service and manage the tenant account.
• Legitimate interest: security monitoring, fraud prevention, platform reliability, and abuse prevention, provided those interests are not overridden by your rights and freedoms.
• Legal obligation: compliance with applicable law, regulatory requests, or court orders.
• Consent: where we have obtained explicit consent, such as for optional marketing communications. Consent may be withdrawn at any time.

6. Data Sharing and Third Parties

We share personal data with third parties only where necessary to operate the platform and only under written agreements that require those parties to maintain equivalent data protection standards.

7. Data Retention

We retain personal data for as long as necessary to provide the contracted service and to meet our legal obligations. The following default retention periods apply:

• Tenant account and simulation data: retained for the duration of the active subscription, plus 90 days following contract termination, after which it is deleted or anonymised. Earlier deletion is available on written request under the terms of the Data Processing Agreement.
• Audit logs: retained for a minimum of 12 months to support security investigations and compliance reviews, unless a longer period is required by applicable law.
• Billing records: retained for 7 years in accordance with Nigerian tax and financial record-keeping obligations.
• Support and communications records: retained for 2 years from last contact, or until earlier deletion is requested.
• Website logs: retained for 90 days for security monitoring purposes.

When data is deleted, it is removed from live systems and will not be retained in backups beyond the next scheduled backup rotation cycle (maximum 30 days).

8. Data Security

We implement technical and organisational security controls appropriate to the nature of the data we process. These include:

• Tenant isolation: all customer data is logically separated at the database level using PostgreSQL Row-Level Security policies. No tenant can access another tenant’s data.
• Authentication: access to the platform requires authenticated sessions using RS256 asymmetric JWT tokens with short expiry and secure refresh rotation. Passwords are hashed using bcrypt with a minimum cost factor of 12.
• Transport security: all data in transit is encrypted using TLS 1.2 or higher.
• Access control: privileged access to production systems is restricted to authorised operational personnel. All access is logged and attributed.
• Rate limiting and abuse prevention: all authentication endpoints and sensitive API routes are rate-limited to resist credential stuffing and brute-force attacks.
• Audit logging: all tenant registrations, campaign launches, and administrative actions are recorded in tamper-evident audit logs.

No method of transmission over the internet or electronic storage is 100% secure. While we take reasonable precautions to protect your data, we cannot guarantee absolute security. In the event of a data breach affecting your data, we will notify you in accordance with applicable law and our Data Processing Agreement obligations.

9. International Data Transfers

Hercules is incorporated and headquartered in Nigeria. Our cloud infrastructure is operated through Railway, whose underlying services may be hosted in regions outside Nigeria, including in the European Union or United States. Where personal data is transferred outside Nigeria, we rely on contractual safeguards consistent with the NDPA 2023 Chapter 7 cross-border transfer framework.

Tenant organisations subject to sector-specific data residency requirements (such as CBN directives for financial institutions) should raise residency requirements during procurement. We will work with affected customers to identify available solutions.

10. Your Data Subject Rights

Under the Nigeria Data Protection Act 2023, the NDPR 2019, and other applicable law, you have the following rights in relation to your personal data:

• Right of access: you may request a copy of the personal data we hold about you.
• Right to rectification: you may ask us to correct inaccurate or incomplete data.
• Right to erasure: you may request deletion of your personal data where we no longer have a lawful basis to retain it.
• Right to restriction: you may ask us to restrict processing of your data in certain circumstances.
• Right to data portability: you may request your data in a structured, machine-readable format where technically feasible.
• Right to object: you may object to processing based on legitimate interest.
• Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at support@herculessuite.io. We will acknowledge your request within 72 hours and respond substantively within 30 days.

Where your rights request relates to data uploaded by your employer (as a tenant-controller), we may refer the request to the relevant controller, as they bear primary responsibility for fulfilling employee data subject rights.

You also have the right to lodge a complaint with the Nigeria Data Protection Commission (NDPC) if you believe your data has been processed unlawfully. The NDPC can be reached at ndpc.gov.ng.

11. Cookies and Tracking

The Hercules platform uses strictly necessary session cookies to maintain authenticated user sessions. These cookies are required for the platform to function and are not used for advertising or cross-site tracking.

Our marketing website (herculessuite.io) does not deploy third-party advertising cookies, tracking pixels, or cross-site analytics scripts. Standard server-side access logs are used for security monitoring and aggregate traffic analysis only.

If that policy changes, we will update this statement and, where required, obtain your consent before deploying any new tracking technologies.

12. Children’s Privacy

Hercules is a professional security platform intended exclusively for use by business organisations and their employees. We do not knowingly collect personal data from individuals under the age of 18. If you believe we have inadvertently received data from a minor, please contact us at support@herculessuite.io and we will delete it promptly.

13. Data Processing Agreement

Our full Data Processing Agreement (DPA), which governs the processor relationship between Hercules and tenant-controllers, is available at herculessuite.io/trust/dpa. The DPA includes detailed provisions on subprocessor management, data subject rights assistance, security incident notification, cross-border transfer safeguards, and data deletion obligations.

Enterprise customers may request a custom DPA that incorporates their organisation’s specific compliance requirements by contacting support@herculessuite.io.

14. Governing Law

This Privacy Statement is governed by the laws of the Federal Republic of Nigeria, including the Nigeria Data Protection Act 2023, the Nigeria Data Protection Regulation 2019, and the Cybercrimes (Prohibition, Prevention, Etc.) Act 2015. Nothing in this statement limits any rights you may have under applicable law that cannot be excluded by contract.

15. Changes to This Statement

We may update this Privacy Statement from time to time to reflect changes in our practices, the services we offer, or applicable law. Material changes will be communicated to registered tenant administrators via email at least 14 days before they take effect. The “Last updated” date at the top of this page indicates when it was most recently revised.

Continued use of the platform after the effective date of any update constitutes acceptance of the revised statement. If you do not accept the changes, you should discontinue use and contact us to arrange deletion of your data.

16. Contact Us

For any questions, concerns, or requests relating to this Privacy Statement or the handling of your personal data, please contact: