Privacy Policy

1. Data controller

The controller of your personal data is NIS2MM (a project currently in the process of being incorporated as a limited liability company).

Contact: privacy@nis2mm.eu

2. Data collected

During the assessment we collect the following data:

• Your organization's sector of activity
• Company size (employee-count range)
• Respondent's role
• Email address (optional, only if you provide it)
• Assessment responses (7 questions)
• Calculated score and derived metrics

3. Legal basis for processing

Processing of your data is based on:

• Legitimate interest (Art. 6.1.f GDPR): the assessment of technology-risk governance that you voluntarily request.
• Explicit consent (Art. 6.1.a GDPR): given by accepting this policy before starting the assessment.

4. Storage and security

Your data is stored on AWS servers in Frankfurt (Germany), within the European Union. Data is transmitted encrypted via HTTPS and stored in a database protected by row-level access policies (Row Level Security).

5. Retention period

Assessment data is retained for a maximum of 12 months from the date of completion. After that period, the data is automatically deleted.

6. User rights

Under the GDPR, you have the right to:

• Access: request a copy of the data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request the deletion of your personal data.
• Portability: receive your data in a structured, commonly used format.

To exercise any of these rights, write to privacy@nis2mm.eu. We will respond within a maximum of 30 days.

7. Contact

For any question related to privacy and the processing of your data: privacy@nis2mm.eu