Privacy Policy
Test of Things Cybersecurity Compliance Platform
This Privacy Policy describes how Cybertools Group Oy (“ToT”, “we”, “us”) processes personal data in connection with the Test of Things compliance platform (the “Platform”) and our website at testofthings.com (the “Website”). It is published at testofthings.com/privacy-policy and applies to data processed in our role as controller. Where ToT processes personal data on behalf of a customer in the role of processor, that processing is governed by the data processing agreement entered into with that customer.
Last updated: 19.5.2026
1. Controller and contact details
The controller for the personal data described in this Policy is:
Cybertools Group Oy (Test of Things) Halkosuontie 1 C, 00660 Helsinki, Finland
Business identity code: 3455880-3
Email: privacy@testofthings.com
For questions about this Policy or to exercise your rights, contact us at the email above. You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (Tietosuojavaltuutettu, www.tietosuoja.fi) or another competent supervisory authority.
2. Who this Policy is for
This Policy is for:
visitors to the Website;
representatives and authorised users of our customers and prospective customers; and
recipients of our marketing communications.
When you use the Platform on behalf of a customer organisation, your employer is the controller of the data you enter through the Platform. ToT acts as a processor of that data, and the customer’s own privacy notice applies. This Policy covers ToT’s role as the controller of your account and authentication data.
3. Personal data we process and why
3.1 Account and authentication data
When you sign up to use the Platform, we process the following personal data:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| Name, work email | Creating and managing your account; communicating about your use of the Platform | Performance of contract (the customer agreement under which you are an authorised user) and our legitimate interest in operating a usable platform | Duration of your active account, plus 12 months after deactivation |
| Authentication metadata via Firebase (Google) | Verifying your identity when signing in | Performance of contract | Duration of your active account |
| Role and access logs (which user accessed what feature, when) | Operating the Platform; troubleshooting; security; complying with our customers’ audit obligations | Legitimate interest; performance of contract | 6 months operational; longer in the customer’s evidence record per the customer’s data processing agreement |
3.2 Data you enter through the Platform
When you use the Platform on behalf of a customer organisation, you may enter personal data into compliance documentation (for example, the names of your colleagues responsible for a security control) or into security test data (for example, log entries containing user identifiers). For that data, ToT acts as a processor on behalf of the customer organisation. The customer’s data processing agreement with ToT and the customer’s own privacy notice govern the processing.
3.3 Website usage data
When you visit the Website, we process:
| Data | Purpose | Legal basis | Retention |
|---|---|---|---|
| IP address, browser type, pages visited, referrer | Operating the Website; analytics | Legitimate interest in understanding and improving Website performance | 14 months |
| Cookies (see clause 8) | As described in clause 8 | Consent (non-essential cookies) or legitimate interest (strictly necessary cookies) | As described in clause 8 |
3.4 Marketing data
If you sign up to receive marketing communications, we process your name, work email and the topics you have indicated interest in. Legal basis: your consent. You can withdraw consent at any time using the unsubscribe link in any marketing email or by emailing privacy@testofthings.com. Retention: until you unsubscribe, plus 12 months thereafter to demonstrate that consent was withdrawn.
4. Sources of personal data
We collect personal data:
directly from you when you create an account, contact us, or sign up to receive marketing;
automatically when you use the Platform or the Website;
from your employer or organisation when it nominates you as an authorised user.
5. Sharing your personal data
We share personal data with the following recipients:
| Recipient | Role | Country |
|---|---|---|
| Google LLC / Google Ireland Ltd | Cloud hosting (Google Cloud, EEA region); Firebase authentication | EEA; United States |
| Google LLC / Google Ireland Ltd | Gemini API on Vertex AI / Gemini Enterprise Agent Platform | EEA |
| Professional advisors (legal, accounting, audit) | Provision of professional services to ToT | Finland and EEA |
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
When personal data is transferred outside the European Economic Area, we rely on the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914) or another transfer mechanism recognised under GDPR Chapter V. You may obtain a copy of the safeguards by contacting privacy@testofthings.com.
6. AI processing
ToT integrates AI Features into the Platform. The AI Features may, with the customer’s authorisation, process customer data through Gemini as identified in clause 5. The customer’s authorisation, the categories of data processed, and the safeguards applicable to the AI processing are set out in the customer’s AI Use Disclosure and data processing agreement.
We do not use customer data, account data or Website analytics data to train AI models, and we do not authorise our AI sub-processors to use customer data to train their models.
7. Your rights
Subject to applicable law, you have the following rights in respect of your personal data:
access to your personal data;
rectification of inaccurate personal data;
erasure (“right to be forgotten”) in the circumstances set out in GDPR Article 17;
restriction of processing in the circumstances set out in GDPR Article 18;
data portability for data processed by automated means on the basis of your consent or a contract with you;
objection to processing based on legitimate interest, including profiling;
withdrawal of consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
To exercise these rights, contact privacy@testofthings.com. We respond within one month, with an extension of up to two further months in complex cases.
You also have the right to lodge a complaint with the Finnish Data Protection Ombudsman (www.tietosuoja.fi) or another competent supervisory authority.
8. Cookies
The Website uses cookies and similar technologies. Strictly necessary cookies are used to operate core Website functions; analytics cookies are used only with your consent. You can manage your preferences through the Website’s cookie banner.
9. Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration or destruction. The measures applicable to data we process on behalf of customers are described in the data processing agreement with the customer.
10. Changes to this Policy
We may update this Policy from time to time. The “Last updated” date at the top reflects the date of the latest material change. We will notify customers of material changes through the Platform or by email.
11. Contact
For questions about this Policy or to exercise your rights, contact privacy@testofthings.com.