Legal
This Threat Intelligence Operations Notice ("TI Notice") is issued by NorthQuinn Inc., a Delaware corporation ("NorthQuinn," "we," "us," or "our"). It constitutes a supplemental data processing notice that extends NorthQuinn's Privacy Policy to cover personal data processed in connection with NorthQuinn's threat intelligence research infrastructure, including honeynets, deception technology deployments, and adversary telemetry collection systems (collectively, "Threat Intelligence Infrastructure"). This TI Notice supplements, and should be read in conjunction with, the Privacy Policy. In the event of a conflict between this TI Notice and the Privacy Policy with respect to the subject matter herein, this TI Notice controls.
NorthQuinn's Privacy Policy governs the collection and processing of personal data through www.northquinn.com and related site infrastructure. That scope does not encompass data processed in connection with NorthQuinn's Threat Intelligence Infrastructure, which operates independently of the public-facing website and involves materially distinct data categories, processing purposes, legal bases, and retention frameworks.
This TI Notice governs the processing of personal data collected or generated by NorthQuinn-operated Threat Intelligence Infrastructure, including:
This TI Notice does not govern:
No Customer or Production Data: NorthQuinn's Threat Intelligence Infrastructure is operationally isolated from NorthQuinn's production systems and from any client-facing or client data-bearing environments. No NorthQuinn customer data, client engagement data, or production system data is present in, processed by, or accessible through the Threat Intelligence Infrastructure described in this TI Notice.
Capitalized terms used in this TI Notice and not otherwise defined herein have the meanings ascribed to them in the Privacy Policy or, as applicable, in Regulation (EU) 2016/679 (the "GDPR"). The following additional terms apply specifically to this TI Notice:
| Term | Meaning |
|---|---|
| "Threat Intelligence Infrastructure" | NorthQuinn-operated honeynets, honeypots, deception technology deployments, honey tokens, decoy services, and associated sensor telemetry collection systems operated by NorthQuinn for the purpose of observing, capturing, and analyzing adversarial activity. Threat Intelligence Infrastructure does not include NorthQuinn's production systems, client-facing infrastructure, or www.northquinn.com. |
| "Honeynet" | A network of one or more honeypot systems deployed by NorthQuinn to attract, observe, and record unsolicited adversarial activity. A honeynet presents an ostensibly functional network or system environment to the public internet and records all inbound interactions for research and threat intelligence purposes. |
| "Adversary Telemetry" | Data generated by or derived from adversarial interactions with NorthQuinn's Threat Intelligence Infrastructure, including network metadata, session telemetry, payload artifacts, authentication attempts, and any other data voluntarily transmitted by an unauthorized party to or through the Threat Intelligence Infrastructure. |
| "Pseudonymization" | The processing of personal data in such a manner that it can no longer be attributed to a specific natural person without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure non-attribution, as defined in Article 4(5) GDPR. NorthQuinn's pseudonymization of source IP addresses employs cryptographic one-way hashing with a unique per-dataset salt. |
| "Research Purpose" | The cybersecurity research and threat intelligence development activities conducted by NorthQuinn, including: characterizing adversary tactics, techniques, and procedures (TTPs); identifying and documenting novel malware, exploitation methods, and attack campaigns; developing and validating detection logic and defensive countermeasures; contributing indicators of compromise and threat intelligence to the security community; and protecting NorthQuinn's information systems and those of the broader internet community from adversarial activity. |
| "Indicators of Compromise" or "IOCs" | Technical artifacts derived from Adversary Telemetry, including IP addresses, domain names, file hashes, network signatures, and behavioral patterns, that indicate the presence or likely presence of adversarial activity. IOCs processed under this TI Notice are generated exclusively from unsolicited adversarial activity observed by NorthQuinn's Threat Intelligence Infrastructure. |
NorthQuinn's Threat Intelligence Infrastructure collects only data that is voluntarily transmitted by an unauthorized party in the course of an unsolicited interaction with that infrastructure. NorthQuinn does not collect data from authorized users, legitimate network traffic, or incidental third parties who have not directed interactions at the Threat Intelligence Infrastructure.
The following categories of Adversary Telemetry are collected:
| Category | Data Elements | Personal Data Status |
|---|---|---|
| Network Metadata | Source IP address; destination IP address and port; source port; transport layer protocol; timestamp of connection initiation and termination; connection duration; packet size and count; TCP flags and session state; network-layer identifiers transmitted by the connecting party. | Source IP addresses constitute personal data under GDPR to the extent they are reasonably linkable to a natural person. All other network metadata in this category is treated as personal data as a precautionary measure. Pseudonymization is applied pursuant to Section 5 before downstream use. |
| Session Telemetry | Application-layer session content voluntarily transmitted by the interacting party, including: commands entered in an emulated shell environment; file and directory traversal paths queried; configuration or credential inputs submitted; post-authentication command sequences; tool identification strings and user-agent data. | Session telemetry may incidentally contain personal data, including usernames, operator handles, or identifying strings embedded in tool output. NorthQuinn applies automated screening to identify and segregate incidental personal data pursuant to Section 5.4. |
| Payload Artifacts | Malware binaries, scripts, exploit payloads, and configuration files voluntarily uploaded or dropped by an interacting party onto NorthQuinn's Threat Intelligence Infrastructure. Payload artifacts are retained as forensic evidence and submitted to relevant threat intelligence databases pursuant to Section 12. | Payload artifacts are not expected to contain personal data of natural persons. Where a payload artifact is found to contain personal data (such as harvested credentials or exfiltration staging data), NorthQuinn will apply the procedures in Section 5.4. |
| Authentication Attempts | Usernames, passwords, and credential strings submitted by an interacting party in the course of authentication attempts against the Threat Intelligence Infrastructure. Credential data is retained for research purposes, including botnet credential wordlist analysis and actor tooling characterization. | Authentication credentials submitted to Threat Intelligence Infrastructure are treated as personal data. Pseudonymization is applied to identifying elements pursuant to Section 5 before downstream analytical use. |
| Behavioral and Timing Data | Inter-packet timing, inter-command timing, session pacing, retry patterns, and tool behavioral fingerprints (including SSH client key exchange fingerprints). Behavioral data enables actor clustering and cross-session attribution independent of IP address rotation. | Behavioral fingerprints that are sufficiently distinctive to enable identification of a natural person or coordinated actor toolset are treated as personal data and pseudonymized pursuant to Section 5. |
NorthQuinn processes Adversary Telemetry on the legal basis of legitimate interests pursuant to Article 6(1)(f) of the GDPR. NorthQuinn has conducted a legitimate interest assessment ("LIA") as required by applicable guidance, the material findings of which are set forth in Sections 4.2 through 4.4 below.
NorthQuinn pursues the following legitimate interests through the processing described in this TI Notice:
The processing described in this TI Notice is necessary to achieve the legitimate interests identified in Section 4.2. The data can be obtained only through direct observation of unsolicited adversarial activity. No less privacy-invasive means exist to achieve equivalent research outcomes, because:
NorthQuinn has assessed the interests, rights, and freedoms of data subjects against the legitimate interests identified in Section 4.2 and concludes that those legitimate interests are not overridden, for the following reasons:
NorthQuinn's LIA documentation, including a complete record of the balancing assessment, is maintained in NorthQuinn's internal data governance records and is available to competent supervisory authorities upon request directed to privacy@northquinn.com.
NorthQuinn collects only data that is affirmatively and voluntarily transmitted by an adversarial party to or through the Threat Intelligence Infrastructure in the course of an unsolicited interaction. NorthQuinn does not collect data from or about parties who have not initiated an interaction with the Threat Intelligence Infrastructure. NorthQuinn does not supplement Adversary Telemetry with data obtained from third-party data brokers, commercial databases, open-source intelligence aggregation tools, or any other external source for the purpose of re-identifying pseudonymized data.
Source IP addresses collected by the Threat Intelligence Infrastructure are pseudonymized via cryptographic one-way hashing prior to ingestion into any downstream analytical environment, including NorthQuinn's AVERY platform training datasets. The hashing process employs a per-dataset cryptographic salt that is maintained separately from the pseudonymized dataset under access controls limiting access to authorized personnel. The salt and the pseudonymized dataset are not stored in conjunction with each other in any production analytical environment. Re-identification of pseudonymized source IP addresses from the hashed output alone is computationally infeasible without access to the relevant salt material.
NorthQuinn's Threat Intelligence Infrastructure is designed to capture data transmitted by adversarial parties and is not positioned on any network path used by legitimate or authorized users. In the event that an adversarial party transmits data derived from third-party systems (such as harvested credential sets, exfiltrated file contents, or staged data from previously compromised hosts), such data may be incidentally captured as Adversary Telemetry. NorthQuinn applies the procedures in Section 5.4 to identify, segregate, and process such incidental third-party data.
NorthQuinn employs automated screening procedures to identify personal data inadvertently present in Adversary Telemetry, including personal data embedded in payload artifacts, session telemetry, or transmitted credential sets. Upon identification, such personal data is segregated from the general Adversary Telemetry dataset, subjected to restricted access controls, and processed only to the extent necessary for the following purposes: (i) assessment of the nature and scope of any compromise from which such data may have originated; (ii) responsible disclosure to relevant parties where identification and disclosure are feasible and consistent with applicable law; and (iii) deletion or anonymization as promptly as practicable following the conclusion of any necessary assessment or disclosure process.
NorthQuinn applies the following retention framework to Adversary Telemetry, reflecting the nature of each data category and the Research Purpose for which it is processed:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Raw honeynet telemetry containing directly identifying elements (including un-pseudonymized source IP addresses) | Twelve (12) months from the date of collection | Sufficient to support retrospective investigation and threat intelligence development for active campaigns; IP address geolocation and attribution data degrades in reliability beyond twelve months for the majority of dynamic IP assignments. After expiration, raw records are deleted or the identifying elements are pseudonymized and the record is reclassified as pseudonymized analysis data. |
| Pseudonymized analysis data (including pseudonymized IP hashes, behavioral fingerprints, and session telemetry from which directly identifying elements have been removed or pseudonymized) | Thirty-six (36) months from the date of pseudonymization | Supports longitudinal threat actor behavioral analysis and campaign tracking across multiple collection cycles; the extended period is justified by the reduced privacy risk attendant to pseudonymized data and the research value of multi-year behavioral datasets for TTP characterization. |
| Malware samples, payload artifacts, and TTP documentation containing no personal data | Indefinite retention for threat intelligence purposes | Malware samples and TTP documentation are non-personal research artifacts that retain permanent analytical and historical value for threat intelligence purposes. They do not contain personal data and are not subject to GDPR retention limitation obligations. Samples are shared with relevant threat intelligence platforms pursuant to Section 12. |
| Incidental third-party personal data identified pursuant to Section 5.4 | Deleted or anonymized as promptly as practicable following completion of applicable assessment and disclosure processes; in no event retained longer than ninety (90) days absent a legal hold or law enforcement request | Incidental personal data does not serve the Research Purpose and is not retained beyond the period required for assessment and responsible disclosure. |
| Legal hold material | Duration of the relevant legal matter plus any applicable post-resolution retention period under applicable law | Legal obligation; legitimate interests in dispute resolution and regulatory compliance. |
Upon expiration of the applicable retention period, NorthQuinn will securely delete or irrevocably anonymize the relevant data consistent with its internal data lifecycle procedures. Where complete deletion is technically impracticable (such as data present in encrypted backup archives), NorthQuinn will isolate and protect such data from further analytical Processing until deletion becomes feasible.
NorthQuinn's Threat Intelligence Infrastructure operates on a strictly passive observation basis. NorthQuinn does not engage in any of the following activities in connection with the Threat Intelligence Infrastructure:
All interactions captured by the Threat Intelligence Infrastructure are initiated exclusively by the interacting party. NorthQuinn's Threat Intelligence Infrastructure responds to inbound connection attempts in accordance with the emulated service profile; it does not initiate or solicit connections.
NorthQuinn implements technical and organizational measures to ensure that the Threat Intelligence Infrastructure is operationally isolated and cannot be weaponized by adversarial parties against third-party systems. NorthQuinn does not publicly disclose the specific technical architecture, sensor placement, or network topology of its Threat Intelligence Infrastructure. The following categorical commitments govern operational containment:
NorthQuinn's Threat Intelligence Infrastructure may be deployed in data centers or cloud infrastructure located in jurisdictions outside the United States, including within the European Economic Area. Adversary Telemetry generated by infrastructure located in EEA jurisdictions may be transferred to NorthQuinn's analytical environments in the United States for processing in accordance with this TI Notice.
All international transfers of Adversary Telemetry containing personal data are subject to the transfer mechanisms and supplementary technical measures described in Section 6 of the Privacy Policy (International Data Transfers), including Standard Contractual Clauses and accompanying Transfer Impact Assessments where applicable. The EEA-source provenance of data does not alter the pseudonymization and minimization obligations set forth in Section 5 of this TI Notice, which apply irrespective of the jurisdiction in which the data was collected.
Requests regarding the transfer mechanisms applicable to specific Threat Intelligence Infrastructure deployments may be directed to privacy@northquinn.com.
NorthQuinn evaluates its obligations under Article 27 of the GDPR with respect to the processing described in this TI Notice on an ongoing basis. The processing of Adversary Telemetry generated by EEA-located Threat Intelligence Infrastructure constitutes processing of personal data of individuals in the EEA by a controller not established in the EEA, and accordingly falls within the territorial scope of the GDPR pursuant to Article 3(2) thereof.
NorthQuinn's current Threat Intelligence Infrastructure operations involving EEA-located data subjects are assessed against the criteria set forth in Article 27(2) GDPR, including the criteria relating to whether the processing is other than occasional and whether it involves systematic monitoring of EEA individuals on a large scale. NorthQuinn will designate an EU Representative pursuant to Article 27 GDPR before any Threat Intelligence Infrastructure deployment that meets the applicable thresholds for mandatory representative designation.
The identity and contact information of any designated EU Representative will be published in this Section and in Section 6.3 of the Privacy Policy at the time of designation. Pending such designation, inquiries regarding Article 27 obligations and representative designation status may be directed to privacy@northquinn.com. The forward-looking representative designation commitment set forth in Section 6.3 of the Privacy Policy applies equally to Threat Intelligence Infrastructure processing.
NorthQuinn acknowledges that natural persons whose IP addresses or other identifying information appears in Adversary Telemetry are data subjects for purposes of the GDPR and applicable U.S. state privacy laws, and that such persons may hold rights with respect to that personal data notwithstanding the unauthorized nature of the activity that gave rise to its collection. NorthQuinn does not disclaim data subject rights on the basis that the processing was initiated by the data subject's own unauthorized conduct, except to the extent that applicable law expressly limits or extinguishes such rights in the relevant context.
Data subjects whose personal data is processed under this TI Notice may, subject to applicable law and the limitations described in Section 11.3, exercise the following rights by submitting a verifiable request to privacy@northquinn.com with the subject line "TI Notice Data Subject Request":
Requests submitted under Section 11.2 must include reasonable identity verification information sufficient to enable NorthQuinn to identify the relevant personal data in its systems, including at minimum the source IP address or other identifying information with respect to which rights are being exercised, and the approximate time period during which the relevant interactions occurred. Requests that do not include sufficient identifying information to locate the relevant personal data may not be fulfilled.
NorthQuinn may decline or limit requests where:
NorthQuinn will respond to verifiable requests without undue delay and within one (1) calendar month, subject to permitted extensions. If NorthQuinn declines a request in whole or in part, it will provide written reasons and information regarding the data subject's right to lodge a complaint with the applicable supervisory authority. EEA residents may refer to Section 11 of the Privacy Policy for applicable supervisory authority contact information.
NorthQuinn shares threat intelligence outputs derived from Adversary Telemetry with the broader security community as part of its Research Purpose. Such sharing is conducted through established threat intelligence platforms and coordinated disclosure channels, including without limitation:
NorthQuinn applies the following practices with respect to the personal data dimension of community sharing:
NorthQuinn's community sharing activities are consistent with the legitimate interest basis documented in Section 4 of this TI Notice. Community sharing is an integral component of the Research Purpose and serves the public interest in effective cybersecurity defense.
NorthQuinn Inc. is the Data Controller for personal data processed under this TI Notice. All inquiries, data subject requests, and correspondence relating to this TI Notice should be directed as follows:
| Entity | NorthQuinn Inc. |
| Incorporation | Delaware, United States of America |
| Privacy Inquiries | privacy@northquinn.com |
| Legal Inquiries | legal@northquinn.com |
| Security / VDP | abuse@northquinn.com |
| General Contact | northquinn.com/contact |
| Acknowledgment | Within 10 business days of receipt |
| Substantive Response | Within the period required by applicable law |
NorthQuinn endeavors to resolve all inquiries under this TI Notice promptly and directly. If you are dissatisfied with NorthQuinn's response, you may have the right to escalate to the applicable data protection or consumer protection authority as described in Section 11 of the Privacy Policy.
This TI Notice was last amended on May 19, 2026. NorthQuinn reserves the right to modify this TI Notice to reflect changes in its Threat Intelligence Infrastructure operations, applicable law, or data governance practices. Material amendments will be communicated by updating the "Last Amended" date at the top of this page. Prior versions are available upon request.