Privacy policy

When we say ‘we’ or ‘us’ in this notice, we’re referring to Viking Cloud, Inc., on behalf of itself and its affiliates, which is a Delaware corporation with an address at 111 North Wabash Ave. Suite 100 #3230, Chicago, IL 60602, USA.  

This notice describes how we collect, store, use, and share personal information if you visit our websites or offices (Visitors), as well as if we identify you as a potential client / if you have contacted us about our products and services (Prospects) or if you are a registered contact for one of our clients (Client Representatives). It explains the rights you have in relation to the personal information that we hold about you.

If you are a merchant and your payment provider has contracted with us to provide you with PCI DSS compliance services (rather than you buying from us directly), the use of your information is determined by your payment provider.  Please contact them for information.

If you are a merchant and you have purchased SecureTrust PCI Manager (Cloud Compliance Direct) services from us via the Secure Trust website (, you can find more information about our use of your information here; VikingCloud Direct Clients Privacy Notice – SecureTrust.

This Privacy Notice has been written in alignment with the requirements of the General Data Protection Regulation (GDPR), the UK GDPR, Brazil’s Lei Geral de Proteção de Dados Pessoais (LGPD), South Africa’s Protection of Personal Information Act (POPIA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and India’s Personal Data Protection Act (PDPA).

If you are based in Mexico, the Ley Federal de Protección de Datos Personales en Posesión de los Particulares doesn’t apply to people acting in a professional capacity.  We are also not directly in scope for the Californian Consumer Privacy Act (CCPA) or the Australian Privacy Act. However, the collection and use of your information will remain the same so you can still review this Privacy Notice if you’d like to know more.

Where do we get your information from?

We collect information from you in a variety of ways, such as when you;

  • Complete a form on our website
  • Subscribe to our communications
  • Contact us by phone, email, physical mail or social media (we have accounts on LinkedIn, Twitter, Facebook and Instagram)
  • Visit our offices
  • Share your contact details with us at an event or conference (or for some events, the event organizer will share details of all attendees with us
  • Attend one of our webinars
  • Visit our website (see our Cookie Notice for more information on the tracking technologies we use).
  • Interact with us or one of our adverts on Social Media

We also use lead providers, who will provide us with names, roles, and business contact details.

Your employer may also share your details with us if they have nominated you to manage the services we provide to them (i.e. you’re a Client Representative / named as a contact in our contracts).  

What kinds of information do we collect about you?

The information we collect is;

  • Personal – your name, country and if you are based in the US, your state.  We may also collect your address solely to send you merchandise on a case-by-case basis, you decide whether this is a personal or work address.
  • Employment – your employer and role / job title.  
  • Work contact details – your work email address and phone number.
  • Professional interests – if you complete a form on our website or talk to one of our sales or relationship management colleagues, we will collect details on your interests and opinions such as the service(s) you believe your employer needs.
  • Meeting recordings – if you have a meeting with us, you may agree to the meeting being recorded (or request us to record it).
  • CCTV footage / building access logs – if you visit any of our offices, we will capture images of you and record information relating to your visit.
  • Website server logs – if you visit one of our websites, we automatically collect server logs containing your IP address and your approximate location (town / city level).
  • Webinar analytics – if you attend one of our webinars, we can see who joined and when.
  • Cookie information – please see our Cookie Notice for information on what information we collect using such technologies / how your information is used.
  • Advertising reports – if you are a Meta user (you use Facebook or Instagram) then we will obtain some aggregated analytics data on our campaigns.  This doesn’t allow us to identify you, but the platforms we use do know who you are and we are jointly responsible with them for these activities.

How do we use your personal information, and what are our legal grounds?

Some global data protection laws require organizations to process personal information only where they have a legal basis.

In the table below, you can see more detail on legal bases under the General Data Protection Regulation (GDPR) which is aligned to Brazil’s LGPD and South Africa’s POPIA.

In Canada and India we require your consent. This is not the same as consent under the GDPR.  We will imply your consent by providing you with this Privacy Notice when you provide your information to us.

Reason for using your personal information

Legal ground

Website Monitoring

If you provide your consent via our cookie tool, we will set and access cookies when you visit our website. See our Cookie Notice for more information.

Sales & Marketing

Where you have provided your consent, most often in regions where this is required or if you sign up via our website, we will send marketing messages relating to our products and services, including webinar invitations and white papers.  


Under EU laws, we can only use non-essential cookies (such as analytics cookies) if we receive your consent.

We may need your consent to send marketing in some EU countries.

You have the right to withdrawn consent at any time.

Legal Duties

We will disclose or share your personal information in order to comply with any legal obligation such as a court order.

Where we must comply, we’ll only provide the minimum information needed to comply.

Necessary for compliance with a legal obligation

Your personal information may be processed in order to meet any legal obligations VikingCloud is subject to.

Protecting Life

We will disclose your information to the police or other authorities if we have serious concerns about you or another’s wellbeing.

Necessary to protect vital interests

This will usually only apply in ‘life-or-death’ scenarios.

Necessary for legitimate interests

We also use your information when we have a ‘legitimate interest’ as long as this doesn’t unfairly impact you or your privacy rights. Each activity is assessed, and your rights and freedoms are taken into account to make sure that we’re not being intrusive or doing anything beyond your reasonable expectations.

We'll assess the information we need, so we only use the minimum. If you want further information about processing under legitimate interests you can contact us using the details at the end of this Privacy Notice.

You have the right to object to any use of your information where we use this reason of ‘legitimate interests’. We'll re-assess our interests and yours, considering your particular circumstances. If we have a very strong reason for the use of your information, we may continue to use your information.  We use ‘legitimate interests’ for the following:

Reason for using your personal information

Legitimate interest(s)

Sales & Marketing


Email Marketing List

Where the territory you are in does not require you opt-in consent, we will send marketing messages relating to our products and services, including webinar invitations and white papers.  


Where we acquire your information from webinars, events and conferences, our sales people will contact you about our products and services and we will add you to our email marketing list.  


We use LinkedIn to contact and talk to people who may be interested in our products and services.  This activity is synced to our Customer Relationship Management (CRM) system so we have accurate records of all contact with you.

Advertising - Meta

We advertise on Meta (Facebook and Instagram), targeting users based on non-sensitive info such as age and gender.  We get aggregated reports on how many people have been targeted, how many users see the adverts, and how many people click on the adverts. We keep the aggregated results confidential, don't share it with anyone except our ad partner, and don't use it for any other purposes.  Meta Ireland is jointly responsible for this activity, please see Meta Ireland's Privacy Policy at for more information about their use of your information.  

Advertising – Google and LinkedIn

If you consent to cookies on our website, we can show you advertisements on Google or LinkedIn (this is called re-targeting – directing adverts to you on these platforms based on the fact you visited our website).  See our Cookie Notice for more information on your choices.


We use Zoominfo to source leads (find people who work in relevant roles, for organizations in industries we’re targeting) and ensure our CRM records remain accurate (we share your name, role and employer as well as business contact details).  Note that as well as acting as our service provider, Zoominfo use the information we provide to them to update and maintain their own records.

We need to promote our products and services in order to run a successful business.

Analysis and management reporting

We analyze and report on our sales & marketing activities. Where we do so, we do this to produce aggregated reports - i.e. facts and figures, which no longer contain personal information.

Key KPls which are analyzed relate to matters such as the success of marketing campaigns – how many people respond to the campaign, how many led to conversations, how many resulted in sales etc.  We also analyse who attended our webinars and attendance times to assess and improve such activities.

We need to analyze and assess our performance in order to optimize our resources.

Relationship Management

Client Representative

If you are a Client Representative, we will use your contact details to keep in touch about the services.  This will mainly be data your employer is responsible for, but if it’s not a core part of the agreement then we’re responsible for this use of your data.


We use Zoominfo to ensure our CRM records remain accurate (we share your name, role and employer as well as business contact details).  Note that as well as acting as our service provider, Zoominfo use the information we provide to them to update and maintain their own records.

We need to keep in touch with our clients to ensure you are happy and our products and services are fulfilling your business needs (i.e. for retention purposes).

Crime prevention and detection, safety and security


VikingCloud buildings are monitored by CCTV cameras to protect us and our colleagues / visitors.  If you visit one of our sites, your images will be captured.

We will also record details of visitors to our site; your name, your company, who you visited and dates / times. If you visit one of our datacenters, you will be asked for additional information; vehicle registration and a form of national identification containing a photograph e.g. driver license, passport.

We need to ensure the safety and security of VikingCloud staff, clients, and other visitors as well as our and our client’s information.

Technical security and support

Logs are automatically reviewed to produce alerts for manual review, with alerts being generated if there are indications of errors, problems with our technology or security concerns.  Logs often include usernames, emails, activities and the dates and times of these.

We need to ensure the security and of our systems and our information, as well as making sure our technology is working effectively / as intended.

Online Tracking

At present, we do NOT respond to Do Not Track signals your browser sends. But you can use our cookie tool to let us know your preferences.

Who do we share your personal information with?

We share your personal information with other organizations. The organizations we share personal information with are as follows;

  • Sales and marketing software and service providers
  • Productivity tool providers
  • Our website provider
  • Finance software providers
  • Security tool/service providers
  • Survey providers
  • Telephone providers
  • Webinar platform providers
  • Advertisers and advertising agencies
  • Cookie consent tools
  • Government Bodies and Regulators
  • Professional services providers and consultants, such as contractors, external auditors, and lawyers.
  • As part of an actual or contemplated business sale, merger, consolidation, change in control, transfer of substantial assets, or reorganization.

We only share personal information where there is a requirement to do so, and where appropriate technical, organizational, and where necessary, contractual measures are in place to ensure its protection.

Overseas transfers

The information that we process about you will be stored in the United States. It may also be stored or accessed by authorized individuals who operate in a variety of countries, or who work for us or for one of our suppliers.

If you are based in the EU or UK, we need to have specific protections in place to transfer your information to another country. We also need to let you know which methods we use.

  • Some countries have been assessed by the relevant authorities as being ‘adequate’, which means their legal system offers a level of protection for your information which is equal to the level of protection in your country. This applies to some of our suppliers, as well as some of the transfers of information within VikingCloud.
  • The EU Commissioner and the UK have also approved Binding Corporate Rules (BCRs) as a way to protect information shared within a group of companies. This requires the group to commit to meeting European / UK standards across all regions. These rules need to be approved by all the EU supervisory authorities or (for the UK, the UK regulator) and require extensive monitoring and oversight when they are authorized.  Some of our suppliers have BCRs.
  • Where the country or mechanism hasn’t been assessed as ‘adequate’, the method we use most frequently is Standard Contractual Clauses (SCCs). These contract terms place EU standards on companies in other jurisdictions. The European Commission approved standard contractual clauses are available via the link below, or let us know if you’d like more information;
  • We have SCCs in place to allow sharing between VikingCloud entities globally.
  • We use SCCs for some of our service providers - we make sure we have contract terms and make checks of their practices / agree additional controls to ensure that your information is treated securely and in accordance with this Privacy Notice.

If you’re based in a country outside of the EEA, there may be local obligations with regards to the transfer. See below for details of the additional controls which we will apply to satisfy these;

  • Brazil – the LGPD contains the same requirements as the GDPR in relation to international transfers.  However, the Brazilian Authority (ANPD) has yet to issue approved terms.  We have extended the EU SCCs to cover your information.
  • Canada – clear privacy notices explaining the transfer. We also need to tell you who to contact for more information. Please contact the Data Protection Team using details in the 'Contact section below.
  • India – at present, no restrictions are in place unless sensitive personal information is involved (which doesn’t apply here).  
  • South Africa – we must ensure a binding agreement is in place which ensures POPIA’s principles are upheld including when further transferring personal information.  Again, South Africa has yet to issue approved contract terms, so we have extended the EU SCCs to cover your information.

How long do we keep personal information for?

Unless otherwise set out in this Privacy Notice, any information we process about you will be retained by us until we no longer need it for the purposes for which it was collected, as set out in this Privacy Notice. We will base that decision on criteria, including;

  • Any legal or regulatory requirements to delete or retain the information for a specific timeframe,
  • Our legitimate business reasons for keeping the information, such as to analyze and assess our activities,
  • The likelihood of a claim arising where we’d need to defend our conduct, and,
  • Whether the information is likely to remain up to date.

We will review and delete or destroy personal information on a regular basis. If we are unable, using reasonable endeavors, to delete or destroy personal information we will ensure that the personal information is encrypted or protected by security measures so that it is not readily available or accessible by us.

Automated decisions / profiling

Automated decisions are where a computer makes a decision about you without a person being involved. Profiling is where information is used to infer information about you.  We don’t make any automated decisions or profile you.


We align with the International Standard for Information Security, ISO27001, as well as that relating to Privacy, ISO27701.  This involves setting up a system to manage risk around both information security and data protection / privacy, as well as putting in place measures and objectives to keep improving.  

An example of a measure we take is to enforce TLS1.2 when transferring information externally / to our suppliers; TL1.2 is a network protocol for encrypting information in transit.  

Access to your information is only provided to our people who have a need to know.  We implement role-based access control so only those with a relevant role are given permissions.  We audit access regularly.  

Your rights

There are a number of rights available under global data protection and privacy laws.

Not all rights apply in all situations and regions have timeframes from 1 calendar month to 45 days, with the ability to extend timeframes in some situations. However, to avoid this Privacy Notice getting too long, we have not included full details of timeframes and what applies here.  

The easiest way to exercise any of your rights, enquire if a right is applicable in a specific circumstance or to check what timescales apply would be to contact our Data Protection Team using the contact details below. If we need further information to comply with your request, we’ll let you know.

In relation to our advertising activities, we have entered into a legal agreement with Meta to clarify who is responsible for your information and when.  Meta Ireland is responsible for responding to your rights once our advertising activities have completed (as they’ll keep some records about this against your profile).  However, if in doubt get in contact with us and we’ll help.

Right of access / right to know

You have the right to ask for access to and receive copies of your personal information. You can also ask us to provide a range of information relating to how we collect/use your information.

Right to rectification / right to correct

If you believe the personal information we hold about you is inaccurate or incomplete, you can ask us to correct that information.

Right of erasure / right to be forgotten / right to delete / right to anonymization

In some circumstances, you have the right to ask us to delete and/or anonymize the personal information we hold about you.

Right to restrict processing / right to have information preserved

In some circumstances, you are entitled to ask us to restrict the processing of your personal information. This means we will stop using your personal information, but we won’t delete it.  Or you could ask us to NOT delete your information.

Data portability

You have the right to ask us to provide your personal information in a format that allows you to share your personal information with another provider.

Right to object

You are entitled to object to us processing your personal information if the processing is based on legitimate interests.  You also always have the right to object to our use of your information for marketing purposes.

All marketing messages, regardless of the nature of your relationship with us, contain a link to allow you to opt-out, along with a link to this Privacy Notice.  However, we will still need to send you messages where these are necessary for us to deliver our services (i.e., if you are a Client Representative) or if the message is legally required (e.g., updates to this Privacy Notice).

Changes to this Privacy Notice

This Privacy Notice Was last updated in December 2023.

Any changes we may make to the Privacy Notice in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes.


Our Data Protection Team can be contacted using the following email address: or alternatively by writing to 1st Floor Block 71A, The Plaza, Park West Business Park, Dublin 12.

Questions, comments, and requests regarding the Privacy Notice are welcomed and should be addressed to

If you have any concerns about the ways in which we process your personal information, in many countries you have a right to complain to the relevant supervisory authority in your jurisdiction. We’d encourage you to contact us first, so we can address your concerns (some regulators require this before they’ll take up a complaint).

Please see below for details of the relevant regulators;



European Economic Area


  • There is no regulator as such, the current law is overseen by the Ministry of Communication & Information Technology (Department of Technology)

South Africa

United Kingdom



Check out the latest news and resources from VikingCloud.
View All Resources
Andrea Sugden
Chief Sales and Customer Relationship Officer

Let’s Talk

Contact Us