Hercules Privacy Data Handling Summary
Last updated: 2026-03-14 (UTC)

PURPOSE LIMITATION
Data is processed solely for simulation campaign delivery, security awareness
analytics, and compliance reporting outputs. No secondary commercial use.

CONTROLLER / PROCESSOR DISTINCTION
The tenant organisation is the data controller. Hercules is the data processor
acting on documented controller instructions under an executed DPA.

PERSONAL DATA CATEGORIES
  - Employee names and work email addresses (simulation targeting)
  - Employee mobile phone numbers (smishing simulation targeting, stored encrypted at rest)
  - Interaction events: opens, link clicks, SMS link clicks, report-phish actions
  - Security awareness acknowledgement records (when an employee completes the training flow at caught.herculessuite.io)
  - Device and browser metadata from interaction events

No sensitive personal data (financial, health, biometric) is processed.

LAWFUL BASIS (NDPR / NDPA)
Legitimate interest in security awareness training, consistent with CBN CRF
obligations for regulated institutions and ISO 27001 A.7.2.2.

DATA RESIDENCY
Hosted on Railway infrastructure. Cross-border transfer implications under NDPR
Article 2.11 should be assessed by tenant-controllers subject to CBN residency
directives. DPA contractual safeguards apply.

TENANT ISOLATION
All data access is constrained by PostgreSQL row-level security (RLS) and
tenant-scoped authorization. No cross-tenant data access is possible by design.

RETENTION
Active contract duration plus 90 days post-termination, then deletion.
Earlier deletion available on request per DPA terms.

DATA SUBJECT RIGHTS (NDPR)
Rights requests (access, correction, deletion, objection) acknowledged within
72 hours and coordinated with the tenant-controller as data controller.

ACCESS GOVERNANCE
Privileged operational access is restricted to authorized roles and tracked
in the audit log with operator attribution.

Contact: support@herculessuite.io