Privacy Policy

Last updated: 30/03/2026

1. Data Controller

atworkstudio
Website: www.atworkstudio.it
Contact: www.atworkstudio.it/contatti

2. Personal Data Collected

We collect only the following data, voluntarily provided by the user:

  • Email address — to identify the submission and send the personal access link
  • Company name — to personalize the assessment report
  • Questionnaire responses — the answers to the 106 questions based on the NIST CSF 2.0 and any additional comments

We do not collect browsing data, profiling cookies, geolocation data, or any other personal data beyond those listed above.

3. Purpose of Processing

Personal data is processed for the following purposes:

  • Service delivery — generation of the cybersecurity assessment report based on the responses provided (Art. 6.1.b GDPR — contractual performance)
  • Communication — sending the personal access link via email (Art. 6.1.b GDPR — contractual performance)

Data is not used for marketing, profiling, or shared with third parties for commercial purposes.

4. Legal Basis for Processing

  • Art. 6.1.a GDPR — Explicit consent of the data subject, given by completing the questionnaire and accepting this privacy policy
  • Art. 6.1.b GDPR — Necessity for the performance of the service requested by the user

5. Recipients and Data Processors

Data may be processed by:

  • Microsoft Azure — application and database hosting (EU data center)

No data transfers to non-EU countries are made without adequate safeguards (Art. 46 GDPR).

6. Data Retention Period

Data is retained for a maximum period of 12 months from the date of submission, after which it is automatically deleted. The user may request early deletion at any time (see section 7).

7. Data Subject Rights

Pursuant to Articles 15-22 of the GDPR, the user has the right to:

  • Access — obtain confirmation of processing and a copy of their personal data
  • Rectification — correct inaccurate or incomplete data (via the personal access link)
  • Erasure — request deletion of their data at any time. The application provides an immediate self-deletion function accessible from the confirmation page
  • Portability — receive their data in a structured format
  • Objection — object to the processing of their data
  • Withdrawal of consent — withdraw consent at any time without affecting the lawfulness of prior processing

To exercise these rights, please contact us via the contact page

The user also has the right to lodge a complaint with the relevant Data Protection Authority.

8. Cookies

This application does not use profiling or third-party cookies. Only strictly necessary technical cookies are used for the operation of the service (administrative authentication), for which consent is not required under applicable data protection legislation.

9. Security Measures

In accordance with Art. 32 of the GDPR and ISO/IEC 27001 controls, we implement the following technical and organizational measures:

  • Encryption in transit — all communications use HTTPS/TLS protocol
  • Encryption at rest — the database is hosted on Azure with data-at-rest encryption
  • Authenticated access — the administrative area is protected by Microsoft Entra ID authentication
  • Access tokens — user access to their data is via a unique cryptographic token (64 hexadecimal characters)
  • Input validation — all incoming data is validated and sanitized to prevent attacks (XSS, SQL Injection)
  • Prepared statements — database queries use prepared statements to prevent SQL Injection
  • Principle of least privilege — data access is limited to authorized personnel and strictly necessary functions

10. Changes to This Policy

We reserve the right to update this privacy policy. Changes will be published on this page with the updated date. We recommend checking this page periodically.

← Back to the questionnaire