Privacy Statement

Last updated: December 30, 2025

1. Introduction

This Privacy Statement explains how Digital Trust AS (“Digital Trust,” “we,” “us,” or “our”) collects, uses, and protects personal data in connection with Night/Shift, our cloud-based Security Information and Event Management (SIEM) service.

This Privacy Statement applies to:

  • Visitors to our website
  • Users of Night/Shift SIEM (the “Service”)
  • Representatives of our business customers

Night/Shift SIEM is a business-to-business (B2B) service. We process personal data both as a data controller (for our own business purposes) and as a data processor (when processing customer data through the Service).

2. Personal Data We Process

2.1 Account and Contact Data (We are the Controller)

When you sign up for Night/Shift SIEM or contact us, we collect:

  • Account information: Company name, organization number, billing address, account holder name, email address, phone number
  • User information: Name, email address, job title, authentication credentials (passwords are encrypted)
  • Billing information: Payment method details, billing history, VAT number (if applicable)
  • Communication data: Content of emails, support tickets, and other communications with us

Legal basis: Performance of contract (Terms of Service), Legitimate interests (customer relationship management, service improvement)

2.2 Usage and Technical Data (We are the Controller)

When you use Night/Shift SIEM, we automatically collect:

  • Usage data: Login times, features used, configuration settings, dashboard interactions
  • Technical data: IP addresses, browser type and version, device information, operating system
  • Performance data: Error logs, system performance metrics, service uptime data

Legal basis: Performance of contract, legitimate interests (service operation, security, improvement)

Usage and technical data described in this section do not include the content of customer log data processed under Section 2.3.

2.3 Customer Log Data (We are the Processor)

When you use Night/Shift SIEM to process security logs and event data, that data may contain personal information such as:

  • IP addresses
  • Usernames and employee identifiers
  • Geolocation
  • Any other personal data in your log sources

For this data, you are the data controller, and we are the data processor. You determine which data is sent to Night/Shift SIEM and are responsible for ensuring you have a legal basis to process it. Our processing is governed by our Data Processing Agreement (DPA) as described in Section 12.

2.4 Marketing and Website Data (We are the Controller)

If you visit our website or marketing materials:

  • Website analytics: Pages visited, time on site, referral sources (via cookies)
  • Marketing data: Responses to campaigns, event attendance, downloaded resources

Legal basis: Consent (for marketing cookies and direct marketing where required), legitimate interests (website analytics, marketing effectiveness).

3. How We Use Personal Data

3.1 As Data Controller

We use personal data we control for:

  • Service provision: Creating and managing your account, processing payments, and providing support
  • Service improvement: Analyzing usage patterns, developing new features, improving security
  • Communication: Sending service notifications, responding to inquiries, and providing technical support
  • Compliance: Meeting legal obligations, preventing fraud, enforcing our terms
  • Marketing: Sending product updates and promotional materials (with consent where required)
  • Operations: We use billing information to process payments, issue invoices, and enforce payment terms, including late payment fees, as specified in our Terms of Service

Beta or experimental features of Night/Shift SIEM are clearly marked. They are subject to the same privacy protections as production features. We will notify you if beta features process data differently or require additional consent.

We may use aggregated and de-identified data derived from service usage for analytics, security research, and service improvement. We apply technical and organizational measures designed to prevent re-identification. This data does not identify you or your users.

Night/Shift SIEM provides automated alerts and analysis based on log patterns you configure. These are tools to assist your decision-making and do not constitute automated decisions with legal or similarly significant effects under GDPR Article 22.

3.2 As Data Processor

For customer log data you send to Night/Shift SIEM, we process it solely in accordance with your instructions and as necessary to provide the Service. We do not:

  • Use your log data for our own purposes
  • Share it with third parties except as required to provide the Service
  • Analyze it for marketing or product development

Your log data is processed in accordance with your configuration, retention settings, and the terms of our DPA.

4. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

  • Contract performance: To provide Night/Shift SIEM and fulfill our Terms of Service
  • Legitimate interests: To operate our business, improve our service, ensure security, and prevent fraud
  • Legal obligation: To comply with accounting, tax, and other legal requirements
  • Consent: For marketing communications and non-essential cookies (you may withdraw consent at any time)

For the data we process as a processor, the legal basis is determined by you as the controller.

5. Data Sharing and Disclosure

5.1 Subprocessors and Service Providers

We use third-party service providers (subprocessors) to help deliver Night/Shift SIEM. Current subprocessors include:

  • Cloud infrastructure providers
  • Payment processing providers
  • Transactional email services

All data processing occurs within the European Union. A current list of subprocessors is available by request.

We notify customers at least 30 days before adding or replacing subprocessors. If you object to a new subprocessor on reasonable data protection grounds, you may terminate your subscription without penalty.

All subprocessors are contractually bound to protect your data and process it only as instructed.

We may disclose personal data if required by law, court order, or government authority, or if necessary to:

  • Comply with legal obligations
  • Protect our rights, property, or safety
  • Prevent fraud or security threats
  • Enforce our Terms of Service

We will notify affected customers of such disclosures unless prohibited by law.

5.3 Business Transfers

If Digital Trust AS is involved in a merger, acquisition, or sale of assets, personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy statement.

5.4 Data Sales

We do not sell, rent, or trade personal data to third parties for marketing or any other purposes.

6. International Data Transfers

All data processing occurs within the European Union. We do not transfer personal data outside the EU/EEA. If international transfers become necessary in the future, we will:

  • Notify affected customers in advance
  • Implement appropriate safeguards (Standard Contractual Clauses, adequacy decisions)
  • Obtain consent where required

If you are located outside the EU/EEA but use our EU-based service, your personal data (account information) is transferred to the EU under the adequacy decision (if applicable) or Standard Contractual Clauses.

7. Data Retention

7.1 Account and Billing Data

We retain account and billing data for:

  • Active accounts: Duration of your subscription
  • After termination: 30 days for potential reactivation, then deleted
  • Billing records: 5 years to comply with Norwegian accounting laws (Bokføringsloven)

7.2 Customer Log Data

Customer log data retention is controlled by you through your Night/Shift SIEM configuration settings. Default retention is 90 days, but you can configure a shorter or longer period within the limits of your subscription plan.

  • Upon subscription termination:
  • Log data is retained for 30 days (unless you request immediate deletion)
  • After 30 days, all log data is securely deleted unless retention is required by law

7.3 Marketing Data

Marketing communication data is retained until you unsubscribe or withdraw consent, plus 6 months to honor your preferences.

We may retain data beyond normal retention periods if required by legal proceedings, investigations, or regulatory requirements.

7.5 Data During Service Suspension

If your service is suspended (e.g., for non-payment), your data remains stored but may not be processed until service is restored. Data retention periods begin upon formal termination, not suspension.

7.6 Trial Accounts

Data from trial accounts is subject to the same security and privacy protections as paid accounts. If you do not convert to a paid subscription, your data will be deleted 30 days after trial expiration.

8. Data Security

We implement appropriate technical and organizational measures to protect personal data:

Technical measures:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Multi-factor authentication for user accounts
  • Regular security testing and vulnerability assessments
  • Intrusion detection and prevention systems
  • Secure data centers with physical access controls

Organizational measures:

  • Access controls and least-privilege principles
  • Employee confidentiality obligations
  • Security awareness training
  • Incident response procedures
  • Regular security audits

Access to customer log data is strictly limited to authorized personnel and only as necessary to provide the Service or as instructed by you. All access is logged and monitored.

We will:

  • Notify relevant supervisory authorities within 72 hours where required by GDPR (when acting as controller)
  • Notify you without undue delay upon becoming aware of a personal data breach affecting customer log data (when acting as processor), as required by GDPR Article 33(2)
  • Notify affected data subjects without undue delay where required by GDPR (when acting as controller)

In the event of a security incident, we follow documented incident response procedures, including containment, investigation, remediation, and appropriate notifications.

9. Your Rights Under GDPR

As a data subject, you have the following rights regarding personal data we control:

9.1 Right of Access

Request confirmation of whether we process your personal data and obtain a copy of it.

9.2 Right to Rectification

Request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (“Right to be Forgotten”)

Request deletion of your personal data in certain circumstances, such as:

  • Data is no longer necessary for the purposes collected
  • You withdraw consent (where consent was the legal basis)
  • You object to processing based on legitimate interests
  • Data was unlawfully processed

This right may be limited by legal retention obligations.

9.4 Right to Restriction of Processing

Request that we limit how we use your data in certain circumstances.

9.5 Right to Data Portability

Receive your personal data in a structured, machine-readable format and transmit it to another controller.

9.6 Right to Object

Object to processing based on legitimate interests, including profiling and direct marketing.

Where processing is based on consent, you may withdraw it at any time by:

  • Clicking the unsubscribe link in marketing emails
  • Adjusting cookie preferences in your browser or our cookie banner
  • Contacting us by email or by post, as described in the Section 14 below.

Withdrawal does not affect the lawfulness of processing before withdrawal.

9.8 Right to Lodge a Complaint

Lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet):

Datatilsynet
Postboks 458 Sentrum
0105 Oslo
Norway

9.9 Exercising Your Rights

To exercise any of these rights, contact us as described in Section 14 below. We will respond within 30 days. We may request additional information to verify your identity. Where requests are complex or numerous, we may extend this period by up to 60 days, as permitted under the GDPR. We will inform you of any such extension within the initial 30-day period.

9.10 Rights Regarding Customer Log Data

If you are an employee or end-user of our customer and your personal data appears in logs processed through Night/Shift SIEM, you should direct any rights requests to your organization (the data controller). We will assist them in fulfilling these requests as required under our DPA.

10. Cookies and Tracking Technologies

10.1 Website Cookies

Our website uses cookies.

Essential cookies (no consent required):

  • Session management
  • Security and authentication
  • Load balancing

Analytics cookies (consent required):

  • Google Analytics - website usage statistics

Marketing cookies (consent required):

  • Google Ads - targeted advertising

You can manage cookie preferences through our cookie banner or browser settings. Details about cookie lifetimes and purposes are available in our cookie banner or cookie settings. Disabling cookies may affect website functionality.

Where third-party analytics services are used, such providers may act as independent controllers for their own processing.

10.2 Service Analytics

Night/Shift SIEM uses essential analytics to operate the service. These do not require consent as they are necessary for service provision under our Terms of Service.

11. Children’s Privacy

Night/Shift SIEM is a business service not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we discover we have inadvertently collected such data, we will promptly delete it.

12. Data Processing Agreement (DPA)

For customers who process personal data through Night/Shift SIEM, our separate Data Processing Agreement (DPA) applies and contains additional details about:

  • Scope and nature of processing
  • Categories of data subjects and personal data
  • Your instructions for processing
  • Data subject rights procedures
  • Security measures
  • Sub-processing arrangements
  • Data breach notification procedures
  • Audit rights

Our Data Processing Agreement (DPA) in accordance with GDPR Article 28 must be in place before we process personal data as your processor. The DPA template is available upon request.

13. Changes to This Privacy Statement

We may update this Privacy Statement from time to time. Material changes will be communicated via:

  • Email to registered account holders
  • Notice in the Night/Shift SIEM dashboard
  • Updated “Last updated” date at the top of this statement

Continued use of Night/Shift SIEM after changes take effect constitutes acceptance. We encourage you to review this statement periodically. Previous versions are available upon request.

14. Questions and Concerns

For questions about this Privacy Statement or our data practices, contact us by email at hello@nightshift.technology or by post at:

Digital Trust AS
Hasleveien 28A
0571 Oslo
Norway

For GDPR-related concerns, you may also contact Datatilsynet (the Norwegian Data Protection Authority), as described in Section 9.8.

Get Started

Email

hello@nightshift.technology

Technical Support

+47 968 16 836

Address

Digital Trust AS
Hasleveien 28A
NO-0571, Oslo, Norway