1. Introduction

This Privacy Policy (the "Policy") describes how Dynova Services FZ-LLC ("Dynova", "we", "us", or "our") collects, uses, discloses, and otherwise processes personal data in connection with our website business-ciso.com (the "Website") and the cybersecurity advisory services we provide, including virtual CISO (vCISO), Security Operations Center (SOC), and related consulting services (collectively, the "Services").

We are committed to processing personal data in accordance with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (the "UAE PDPL") and its implementing regulations, together with any guidance issued by the UAE Data Office.

By using the Website, contacting us, or engaging Dynova for the Services, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Website or provide personal data to us.

2. Data Controller

For the purposes of the UAE PDPL, the data controller of the personal data described in this Policy is:

Dynova Services FZ-LLC Registered office: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.

Privacy enquiries: denia@business-ciso.com

Dynova has not appointed a Data Protection Officer on the basis that our processing activities do not meet the thresholds set out in Article 10 of the UAE PDPL. Privacy enquiries are handled by Dynova management at the address above.

3. Scope of this Policy

This Policy applies to personal data we process when:

• you visit, browse, or interact with the Website;

• you submit a contact form, request information, or schedule a discovery call with us;

• you correspond with us by email, telephone, messaging applications, or other channels;

• you negotiate, enter into, or perform a service agreement with us on behalf of yourself or your organisation; or

• we deliver vCISO, SOC, or related advisory Services to a client organisation and, in doing so, process personal data about that organisation's personnel.

This Policy does not apply to personal data that we process strictly on behalf of a client under a written service agreement, where the client determines the purposes and means of the processing. In those cases, the client acts as the data controller and Dynova acts as a data processor; the client's own privacy notice will govern. Further detail is provided in Section 5.3.

4. Categories of Personal Data We Process

4.1 Website visitors and prospective clients

When you visit the Website, submit an enquiry, or request a discovery call, we may collect:

• Identification and contact data — full name, job title, employer or organisation, business email address, business telephone number, country or city of operation.

• Enquiry content — the subject of your enquiry, the nature of the Services you are interested in, and any information you choose to share about your organisation's environment, compliance posture, or security objectives.

• Technical data — IP address, browser type and version, device information, operating system, referring URL, pages visited, and timestamps. This data is collected automatically through standard web logs and, where applicable, cookies (see Section 12).

4.2 Contracting parties and authorised representatives

Where a discovery discussion progresses to a commercial engagement, we process additional personal data necessary to negotiate, conclude, and administer the contract, including:

• names, titles, and contact details of signatories, decision-makers, finance contacts, and points of contact at the client;

• signatures (handwritten or electronic) on engagement letters, master service agreements, statements of work, non-disclosure agreements, and other contractual documents;

• billing information such as invoicing contact details and, where required, business identifiers (for example, trade licence numbers) sufficient to issue tax-compliant invoices in the UAE.

4.3 Client personnel processed during delivery of the Services

In the ordinary course of delivering vCISO and SOC Services, Dynova does not seek or require access to personal data relating to our clients' own customers, end-users, or other data subjects whose data the client controls. We expressly avoid such access by design.

However, in order to perform the Services, we routinely process limited categories of personal data relating to the client's own employees, contractors, and other workforce members, including:

• full names;

• business email addresses;

• business telephone numbers;

• job titles, roles, and reporting lines;

• departments, business units, or functional areas;

• user account identifiers (for example, usernames, sign-in identifiers) and information about access entitlements, group memberships, and role assignments, as exposed through access reviews and identity governance activities;

• content of business communications exchanged with Dynova during the engagement (for example, emails, chat messages, and meeting notes).

This processing is necessary to communicate with the right individuals at the client, to perform access reviews and least-privilege analysis, to investigate security incidents involving the client's own workforce, to deliver awareness and training materials, and to produce reports and recommendations to the client's management.

4.4 Sensitive personal data

We do not intentionally collect sensitive personal data within the meaning of Article 15 of the UAE PDPL (such as data relating to racial or ethnic origin, religious beliefs, health, biometric or genetic data) through the Website or in the course of the Services. You should not submit sensitive personal data to us unless we have specifically requested it and a lawful basis for processing it has been established.

4.5 Children

The Website and Services are intended for business audiences and are not directed at children. We do not knowingly collect personal data from individuals under the age of 18. If you believe a child has provided personal data to us, please contact us at denis@business-ciso.com so that we can take appropriate action.

5. Purposes and Lawful Basis for Processing

Article 4 of the UAE PDPL requires that personal data be processed on a defined lawful basis. The principal purposes for which we process personal data, and the lawful bases on which we rely, are set out below.

5.1 Responding to enquiries and conducting discovery calls

Purpose: to acknowledge and respond to your enquiry, schedule and conduct discovery calls, understand your organisation's requirements, and provide information about the Services.

Lawful basis: your consent, demonstrated by your decision to submit a contact form, send us an email, or otherwise initiate contact with us; and the necessity of the processing to take steps at your request prior to entering into a contract.

5.2 Negotiating and concluding service agreements

Purpose: to prepare, negotiate, sign, and administer engagement letters, master service agreements, statements of work, non-disclosure agreements, and related contractual documentation; to perform know-your-customer and sanctions screening to the extent required by applicable law; and to issue and collect invoices.

Lawful basis: processing necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into such a contract; and compliance with legal obligations to which Dynova is subject in the UAE.

5.3 Delivering vCISO, SOC, and related Services

Purpose: to deliver the Services agreed with the client. This includes communicating with client personnel, conducting security assessments, performing access reviews and identity governance work, supporting incident response, producing reports, and discharging the other obligations set out in the relevant statement of work.

In relation to personal data of the client's own employees and contractors that Dynova processes as part of the Services, the client is generally the data controller and Dynova acts as a data processor on the client's behalf, within the meaning of the UAE PDPL. We process such personal data in accordance with the client's documented instructions, the terms of the relevant service agreement, and applicable law. Data subjects who have questions about the processing of their personal data in this context should first contact their employer or the relevant client organisation.

Where Dynova processes personal data for its own internal purposes (for example, retaining engagement records, managing client relationships, or maintaining records that demonstrate professional due diligence), Dynova acts as a data controller in respect of that processing.

5.4 Operating and improving the Website

Purpose: to host the Website, ensure it is available and secure, prevent and detect fraud and misuse, analyse aggregate traffic patterns, and improve content and user experience.

Lawful basis: our legitimate interests in operating, securing, and improving the Website, balanced against your interests and fundamental rights; and, where applicable for non-essential cookies, your consent (see Section 12).

5.5 Compliance with legal and regulatory obligations

Purpose: to comply with laws and regulations applicable to Dynova in the UAE, including tax, accounting, anti-money-laundering, sanctions, and data protection laws; to respond to lawful requests from competent public authorities; and to defend our legal rights.

Lawful basis: compliance with a legal obligation to which Dynova is subject; and our legitimate interests in establishing, exercising, or defending legal claims.

5.6 Marketing and business development

Purpose: to send occasional service updates, insights, and other business communications to existing and prospective clients who have provided their business contact details to us.

Lawful basis: your consent, where required by law; and our legitimate interests in promoting our Services to a professional audience. You may opt out of marketing communications at any time by contacting denis@business-ciso.com or by using the unsubscribe link in any marketing email.

6. Disclosure of Personal Data

We do not sell personal data. We disclose personal data only to the categories of recipients set out below and only to the extent necessary for the purposes described in this Policy:

• Dynova personnel and authorised contractors who need access to perform their roles and who are bound by confidentiality obligations;

• Service providers and sub-processors that support our business operations, including providers of cloud hosting, email and collaboration platforms, customer relationship management, accounting and invoicing, electronic signature, and analytics. Such providers are engaged under written agreements that include appropriate confidentiality and data protection commitments;

• Professional advisers, including lawyers, auditors, and tax advisers, where reasonably necessary;

• Competent public authorities, regulators, courts, and law enforcement, where required by law or in response to a lawful request;

• Counterparties to a corporate transaction, in connection with any actual or contemplated merger, acquisition, financing, or reorganisation involving Dynova, subject to appropriate confidentiality safeguards.

Where we engage a third party to process personal data on our behalf as a data processor, we put in place written terms that meet the requirements of Article 6 of the UAE PDPL.

7. International Transfers

Dynova is established in the United Arab Emirates. Some of the service providers and sub-processors that we use are established outside the UAE, and personal data may therefore be transferred to, stored in, or accessed from jurisdictions outside the UAE.

Where we transfer personal data outside the UAE, we do so in accordance with Articles 22 and 23 of the UAE PDPL. In particular, we transfer personal data only to jurisdictions that provide an adequate level of protection as determined by the UAE Data Office or, in the absence of such a determination, on the basis of one of the safeguards or derogations permitted by the UAE PDPL, including appropriate contractual commitments with the recipient and, where required, your consent.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, tax, or reporting requirements. Our retention practices include:

• Enquiries that do not result in an engagement: retained for up to 24 months from the date of last contact, after which the data is deleted or anonymised, unless we have a legitimate reason to retain it for longer.

• Engagement and contractual records: retained for the duration of the engagement and for a further period determined by the limitation periods applicable under UAE law and our legal, tax, and accounting obligations (typically a minimum of five years following termination of the engagement).

• Personal data processed as a data processor on behalf of a client: retained and deleted in accordance with the client's documented instructions and the terms of the relevant service agreement. On termination of the engagement, we return or delete such personal data as instructed by the client, subject to any legal obligation requiring continued retention.

• Website technical logs and analytics data: retained for the periods set out in our cookie information and adjusted from time to time based on operational and security needs.

9. Security

Dynova has implemented technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, alteration, or disclosure, as required by Article 20 of the UAE PDPL. These measures include access controls, encryption of data in transit and, where appropriate, at rest, multi-factor authentication, logging and monitoring, sub-processor due diligence, and personnel confidentiality obligations.

No system can be guaranteed to be fully secure. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, Dynova will notify the UAE Data Office and, where applicable, affected data subjects in accordance with Article 9 of the UAE PDPL.

10. Your Rights under the UAE PDPL

Subject to the conditions and exceptions set out in the UAE PDPL, you have the following rights in respect of your personal data:

• Right to information and access — to obtain confirmation as to whether we process personal data about you and, if so, to receive information about that processing and a copy of the data.

• Right to request transfer (data portability) — to receive personal data that you have provided to us, in a structured and machine-readable format, and to have it transmitted to another controller where technically feasible.

• Right to correction — to have inaccurate or incomplete personal data corrected.

• Right to erasure — to have personal data deleted in the circumstances described in Article 16 of the UAE PDPL.

• Right to restrict processing — to request that we limit the processing of your personal data in certain circumstances.

• Right to stop processing — to require us to stop processing your personal data where the processing is not necessary for the performance of a contract, compliance with a legal obligation, or another lawful purpose under the UAE PDPL.

• Right to object to automated decision-making — to object to decisions about you that are based solely on automated processing and that produce legal effects or significantly affect you. Dynova does not currently make decisions about individuals on a solely automated basis.

• Right to withdraw consent — where we process personal data on the basis of your consent, to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

• Right to lodge a complaint — to file a complaint with the UAE Data Office if you believe that our processing of your personal data infringes the UAE PDPL.

11. How to Exercise Your Rights

To exercise any of the rights set out in Section 10, please contact us at denis@business-ciso.com with a clear description of your request and sufficient information to enable us to verify your identity. We will respond to your request within the timeframes prescribed by the UAE PDPL.

We may decline to act on a request, or charge a reasonable fee, where the request is manifestly unfounded or excessive, or where an exception under the UAE PDPL applies. In such cases, we will explain our reasons.

If you are an employee or contractor of a Dynova client and your personal data is being processed by Dynova in the context of the Services, please direct your request in the first instance to your employer or the relevant client organisation, which is generally the data controller. We will support the client in responding to your request as required under the relevant service agreement.

You also have the right to lodge a complaint directly with the UAE Data Office if you believe that our processing of your personal data does not comply with the UAE PDPL.

12. Cookies and Similar Technologies

The Website uses cookies and similar technologies to operate, secure, and analyse the use of the Website. Cookies are small text files that are placed on your device when you visit a website.

We use:

• Strictly necessary cookies, which are required for the operation of the Website and cannot be disabled in our systems;

• Analytics cookies, where applicable, which help us understand how visitors use the Website on an aggregated and pseudonymised basis;

• Functional cookies, which remember choices that you make to provide enhanced functionality.

You can control cookies through your browser settings and, where applicable, through the cookie notice presented on the Website. Disabling certain cookies may affect the functionality of the Website.

13. Third-Party Links

The Website may contain links to third-party websites, applications, or services that are not operated by Dynova. This Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy notices of any third party before providing personal data to it.

14. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other reasons. The "Effective date" at the top of this Policy indicates when it was last updated. We encourage you to review this Policy periodically. Where changes are material, we will take additional steps to notify you, such as by posting a prominent notice on the Website or, where appropriate, contacting you directly.

15. Contact Us

If you have any questions about this Policy or our processing of personal data, please contact:

Dynova Services FZ-LLC Privacy enquiries: denis@business-ciso.com

Registered office: Meydan Grandstand, 6th floor, Meydan Road, Nad Al Sheba, Dubai, U.A.E.