[Null0ps]

Privacy Policy

Effective Date: March 31, 2026 · Last Updated: March 31, 2026

1. Overview

This Privacy Policy describes how Information Security Media Group, Inc. (“ISMG,” “we,” “us,” or “our”), operating the [Null0ps] platform (the “Platform”), collects, uses, discloses, and protects your personal information. Null0ps is an on-demand cybersecurity talent dispatch marketplace that connects vetted security professionals (“Talent/Trainer”) with organizations (“Clients”) for training delivery, security assessments, advisory engagements, and related cybersecurity services.

By accessing or using the Platform, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree with any part of this Policy, you must not access or use the Platform.

This Policy applies to all users of the Platform, including Talent, Clients, Producers (internal account managers), and Administrators. It does not apply to third-party websites or services linked from the Platform.

2. Information We Collect

2.1 Account and Identity Information

When you register for an account, we collect:

  • Full name, email address, and phone number
  • Password (stored as a cryptographic hash; we never store plaintext passwords)
  • Account role (Admin, Producer, Talent, or Client)
  • Session tokens and authentication metadata

2.2 Talent/Trainer Profile Information

If you register as Talent/Trainer, we collect additional professional information:

  • Professional biography and resume URL
  • Areas of specialization (e.g., penetration testing, AI security, hardware hacking)
  • Professional certifications (e.g., OSCP, GPEN, CISSP)
  • Hourly and daily rate information
  • Security clearance level, where applicable
  • Geographic location and timezone
  • Availability calendar data
  • Performance scores, reliability scores, and composite ranking metrics
  • Stripe Connect account identifier (for payment processing)

2.3 Client Organization Information

If you register as a Client, we collect:

  • Organization name and industry
  • Primary contact information and billing email
  • Business address
  • Stripe Customer identifier (for payment processing)
  • Geocoded latitude and longitude of your organization (used for engagement visualization and logistics)

2.4 Engagement and Gig Data

When Clients book engagements or Talent participates in gigs, we process:

  • Engagement title, description, type, dates, and location
  • Budget and payment amounts
  • Clearance and compliance requirements
  • Gig worksheets containing rules of engagement, NDA requirements, hardware/software/network prerequisites, and special instructions
  • Geocoded coordinates for engagement locations (used for internal global dispatch visualization and not pubicly available)

2.5 Contract and Legal Documents

We generate and store:

  • Master Service and Staffing Agreements (MSSA)
  • Statements of Work (SOW)
  • Non-Disclosure Agreements (NDA)
  • Digital signatures, signing timestamps, and document URLs

2.6 Payment Information

We record payment amounts, platform fees, and Stripe transaction identifiers. We do not store credit card numbers, bank account numbers, or other sensitive financial instrument details. All payment processing is handled by Stripe, Inc., which maintains PCI DSS Level 1 compliance. Please refer to Stripe’s Privacy Policy for details on how Stripe processes your financial data.

2.7 Reviews and Feedback

We collect:

  • Star ratings across multiple dimensions (overall, communication, professionalism, technical skill, content quality, delivery quality)
  • Written feedback text
  • AI-generated sentiment scores derived from feedback text (see Section 4)

2.8 Deliverables

Post-engagement, we may store:

  • After-Action Reviews (AARs)
  • Completion certificates
  • Engagement reports
  • Associated file URLs

2.9 Communications Metadata

We log dispatch notification metadata (channel used, delivery status, timestamp, and response status). We do not store the content of email or SMS/WhatsApp messages; these are transmitted via third-party APIs (AWS SES and Twilio) and are subject to their respective privacy policies.

2.10 Automatically Collected Information

When you interact with the Platform, we may automatically collect:

  • IP address, browser type, operating system, and device information
  • Pages visited, access times, and referring URLs
  • Session and authentication cookies necessary for Platform operation

3. How We Use Your Information

We process your personal information for the following purposes and on the following legal bases (as required under the EU General Data Protection Regulation (“GDPR”), Article 6):

3.1 Performance of Contract (GDPR Art. 6(1)(b))

  • Creating and managing your account
  • Matching Talent to Client engagements via our dispatch engine
  • Generating and managing contracts (MSSA, SOW, NDA)
  • Processing payments between Clients and Talent via Stripe
  • Delivering engagement notifications via email (AWS SES) and SMS/WhatsApp (Twilio)
  • Managing the gig lifecycle (booking, dispatch, claim, delivery, completion)
  • Providing availability calendar functionality for Talent

3.2 Legitimate Interests (GDPR Art. 6(1)(f))

  • Computing Talent performance and reliability scores to maintain service quality
  • Calculating composite ranking scores for tiered dispatch (see Section 9)
  • Analyzing review sentiment via AI to surface quality insights (see Section 4)
  • Generating aggregate analytics for platform operations (admin dashboards)
  • Visualizing global engagement distribution via our dispatch heatmap
  • Detecting, preventing, and addressing security incidents, fraud, or abuse
  • Improving Platform features, usability, and performance

3.3 Legal Obligation (GDPR Art. 6(1)(c))

  • Complying with applicable tax, accounting, and financial reporting requirements
  • Responding to lawful requests from law enforcement or regulatory authorities
  • Maintaining records as required by applicable data protection laws

3.4 Consent (GDPR Art. 6(1)(a))

  • Sending optional marketing communications (where applicable and with your prior opt-in consent)
  • Processing special categories of data, if ever applicable (e.g., government clearance verifications, with explicit consent)

Where we rely on consent, you may withdraw it at any time by contacting us at privacy@cybered.academy. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

4. AI-Powered Features

The Platform uses artificial intelligence to enhance service quality. Specifically:

4.1 Sentiment Analysis

When Clients submit written feedback on completed engagements or trainings, the feedback text is sent to the Anthropic Claude API for sentiment analysis. The AI processes the text and returns a numerical sentiment score (1.00–5.00). This score is stored alongside the review and contributes to Talent composite ranking calculations.

Data sent to Anthropic: Only the feedback text is transmitted. No personally identifying information (name, email, or account details) is included in the API request.

Anthropic’s data handling: Anthropic does not use API inputs or outputs to train its models. Please refer to Anthropic’s Privacy Policy for further details.

4.2 Tier Management Suggestions

Our system may generate AI-powered suggestions for Talent tier adjustments (e.g., promotion from B-list to A-list) based on performance data. These suggestions are advisory only and require human review and approval by an Administrator before any tier change is applied.

5. Data Sharing and Sub-Processors

We share your personal information only as described below. We do not sell your personal information to third parties.

5.1 Sub-Processors

We engage the following third-party sub-processors to operate the Platform. Each sub-processor is contractually bound to process data only for the purposes we specify, in compliance with applicable data protection laws:

Sub-ProcessorPurposeData Processed
Supabase, Inc.Database hosting, authentication, row-level securityAll Platform data (encrypted at rest and in transit)
Stripe, Inc.Payment processing (Client charges, Talent payouts via Stripe Connect)Payment amounts, Stripe account/customer IDs; Stripe handles all sensitive financial data
Amazon Web Services (SES)Transactional email delivery (dispatch notifications, booking alerts)Recipient email addresses, email content (transient; not stored by Platform)
Twilio, Inc.SMS and WhatsApp message delivery (dispatch notifications, booking alerts)Recipient phone numbers, message content (transient; not stored by Platform)
Anthropic, PBCAI sentiment analysis of review feedbackReview feedback text only (no PII transmitted)

5.2 Platform Users

Certain information is shared between Platform users as part of normal operations:

  • Talent profiles (name, bio, specializations, certifications, ratings) are visible to Administrators, Producers, and Clients who book engagements.
  • Client organization details (name, engagement requirements) are shared with Talent assigned to their engagements.
  • Reviews and ratings are visible to Administrators, Producers, and (in aggregate form) to other Platform users.

5.3 Legal and Compliance Disclosures

We may disclose your information if required by law, court order, subpoena, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or respond to a government request.

5.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other corporate transaction, your information may be transferred to the acquiring entity. We will notify you via email or a prominent notice on the Platform before your information becomes subject to a different privacy policy.

6. International Data Transfers

The Platform is hosted in the United States. If you access the Platform from outside the United States, including from the European Economic Area (“EEA”), the United Kingdom (“UK”), or India, your personal information will be transferred to, stored, and processed in the United States.

6.1 EU/EEA and UK Transfers

For transfers of personal data from the EEA or UK to the United States, we rely on Standard Contractual Clauses (“SCCs”) as approved by the European Commission (Decision 2021/914) and the UK International Data Transfer Addendum, as applicable. Our sub-processors similarly maintain appropriate transfer mechanisms. You may request a copy of the applicable SCCs by contacting us at dpo@cybered.academy.

6.2 India Transfers

For transfers of personal data from India, we process data in accordance with the Digital Personal Data Protection Act, 2023 (“DPDPA”) and the Information Technology Act, 2000. We transfer data to countries permitted under applicable notifications issued by the Central Government of India. Where required, we implement appropriate contractual and organizational safeguards.

7. Data Retention

We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, to comply with legal obligations, or to resolve disputes. Specific retention periods:

Data CategoryRetention Period
Account dataDuration of account plus 30 days after deletion request
Talent profilesDuration of account plus 90 days
Engagement and gig records7 years from engagement completion (tax/audit compliance)
Contracts (MSSA, SOW, NDA)7 years from contract expiration or termination
Payment records7 years (financial regulatory requirements)
Reviews and ratingsDuration of associated account; anonymized data may be retained indefinitely for analytics
Dispatch notifications (metadata)2 years
Deliverables (AARs, certs, reports)5 years from engagement completion
Server logs and access data90 days

Upon expiration of the applicable retention period, personal data is securely deleted or irreversibly anonymized.

8. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your personal information. We honour these rights regardless of where you are located, to the extent reasonably practicable.

8.1 Rights Under the EU/UK GDPR

If you are located in the EEA or UK, you have the following rights under the General Data Protection Regulation:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete personal data.
  • Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements.
  • Right to Restriction (Art. 18): Request that we restrict processing of your personal data in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
  • Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling for dispatch ranking.
  • Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 9 for details on our automated processing.

You may also lodge a complaint with your local supervisory authority. For EU data subjects, a list of supervisory authorities is available at edpb.europa.eu. For UK data subjects, you may contact the Information Commissioner’s Office (ICO) at ico.org.uk.

8.2 Rights Under the California Consumer Privacy Act (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the purposes of processing, and the categories of third parties with whom we share data.
  • Right to Delete: Request deletion of your personal information, subject to certain exceptions (e.g., legal obligations, ongoing transactions).
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out of Sale/Sharing: We do not sell your personal information or share it for cross-context behavioral advertising purposes.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
  • Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive personal information to purposes necessary for providing the Platform.

To exercise your CCPA rights, submit a request to privacy@cybered.academy. We will verify your identity before processing your request.

8.3 Rights Under India’s Digital Personal Data Protection Act (DPDPA), 2023

If you are a data principal located in India, you have the following rights under the DPDPA and the Information Technology Act, 2000:

  • Right to Access: Obtain a summary of your personal data and the processing activities undertaken.
  • Right to Correction and Erasure: Request correction of inaccurate data, completion of incomplete data, updating of outdated data, and erasure of data no longer necessary for the specified purpose.
  • Right to Grievance Redressal: File a grievance with our designated grievance officer. If you are unsatisfied with our response, you may file a complaint with the Data Protection Board of India.
  • Right to Nominate: Nominate an individual to exercise your rights on your behalf in the event of your death or incapacity.

Our designated grievance officer for India can be contacted at dpo@cybered.academy.

8.4 Exercising Your Rights

To exercise any of the above rights, contact us at privacy@cybered.academy. We will respond to verifiable requests within the timeframes required by applicable law:

  • GDPR: Within one (1) month (extendable by two months for complex requests)
  • CCPA: Within forty-five (45) days (extendable by an additional 45 days)
  • DPDPA: Within a reasonable timeframe as prescribed by applicable rules

9. Automated Decision-Making and Profiling

The Platform employs automated processing to compute a composite ranking score for each Talent professional. This score is used to determine the order in which Talent receives engagement notifications through our tiered dispatch system.

9.1 Composite Ranking Score

The composite ranking score is calculated using nine weighted factors:

  • Trainer delivery rating (25%)
  • Performance score (15%)
  • Reliability score (10%)
  • Review volume (7%)
  • Review recency (8%)
  • Total trainees taught (10%)
  • Completed training engagements (8%)
  • Training level weighting (10%)
  • Content contribution (7%)

This score influences the tiered dispatch system: higher-ranked Talent (A-list tier) receives engagement notifications before lower-ranked Talent (B-list tier). The score does not make hiring decisions autonomously—a qualified Talent professional must still actively claim each engagement, and Clients may request specific Talent regardless of ranking.

9.2 Sentiment Analysis Scoring

Written review feedback is processed by the Anthropic Claude API to generate a sentiment score (1.00–5.00). This score constitutes 20% of each individual review’s composite score, which in turn contributes to the Talent’s aggregate ranking.

9.3 Your Rights Regarding Automated Processing

Under GDPR Article 22, you have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. Because our automated scoring system:

  • Influences notification priority rather than making hiring or rejection decisions
  • Does not prevent any qualified Talent from accessing or claiming engagements
  • Is subject to human oversight (Administrators can manually adjust tiers and assign Talent directly)

we believe it does not constitute solely automated decision-making with legal or similarly significant effects. Nonetheless, you may:

  • Request an explanation of your composite ranking score and the factors that contributed to it
  • Contest the accuracy of data used in the scoring calculation
  • Request human review of any tier determination or dispatch priority decision

To exercise these rights, contact privacy@cybered.academy.

10. Cookies and Tracking Technologies

10.1 Essential Cookies

The Platform uses essential (strictly necessary) cookies to operate core functionality:

  • Authentication session cookies: Managed by Supabase Auth to maintain your logged-in state. These are first-party, httpOnly, secure cookies that expire when your session ends or after a configured timeout.
  • CSRF protection tokens: Used to prevent cross-site request forgery attacks.

These cookies are necessary for the Platform to function and cannot be disabled.

10.2 Analytics and Tracking

As of the effective date of this Policy, the Platform does not use third-party analytics cookies, advertising trackers, or social media pixels. If we introduce such technologies in the future, we will update this Policy and, where required by law, obtain your consent before deploying them.

10.3 Managing Cookies

You can manage cookies through your browser settings. Disabling essential cookies may prevent you from logging in or using the Platform.

11. Children’s Privacy

The Platform is not intended for use by individuals under the age of 13 (or the applicable minimum age in your jurisdiction, such as 16 in certain EU member states or 18 for entering contracts under Indian law). We do not knowingly collect personal information from children under the applicable minimum age.

If we become aware that we have collected personal information from a child under the applicable minimum age, we will promptly delete that information. If you believe that a child under the applicable minimum age has provided us with personal information, please contact us at privacy@cybered.academy.

12. Security Measures

We implement industry-standard technical and organizational measures to protect your personal information, including:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Supabase-managed encryption).
  • Authentication: Password hashing using bcrypt via Supabase Auth. Session management with secure, httpOnly cookies.
  • Row-Level Security (RLS): Database-enforced access controls ensure users can only access data appropriate to their role. All 13 tables have RLS policies enabled.
  • Atomic operations: Critical operations (e.g., gig claiming) use database-level row locking to prevent race conditions.
  • PCI DSS compliance: Payment data is handled exclusively by Stripe (PCI DSS Level 1 certified). No sensitive financial data touches our infrastructure.
  • Access controls: Role-based access control (RBAC) across four roles (Admin, Producer, Talent, Client). Middleware-enforced route protection.
  • Secure communications: Dispatch notifications sent via authenticated API calls to AWS SES and Twilio.

While we implement reasonable safeguards, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected individuals and relevant authorities in the event of a data breach, as required by applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. If we make material changes, we will:

  • Post the updated Policy on this page with a revised “Last Updated” date
  • Notify registered users via email to their registered email address
  • Where required by applicable law (e.g., GDPR, DPDPA), obtain your consent before applying material changes to existing data processing activities

We encourage you to review this Policy periodically. Your continued use of the Platform after changes are posted constitutes acceptance of the updated Policy, except where additional consent is required by law.

14. Contact Information

If you have questions or concerns about this Privacy Policy, or wish to exercise any of your rights, please contact us:

Data Controller

Information Security Media Group, Inc. (ISMG)

902 Carnegie Center, Suite 430

Princeton, NJ 08540

United States

Privacy Inquiries

Email: privacy@cybered.academy

Data Protection Officer (DPO)

Email: dpo@cybered.academy

Platform

https://cybered.academy

For DPDPA-related grievances (India), you may contact our designated grievance officer at dpo@cybered.academy. If your grievance is not resolved to your satisfaction within the prescribed period, you may file a complaint with the Data Protection Board of India.

© 2026 Information Security Media Group, Inc. All rights reserved.