Data Protection Impact Assessment (DPIA)¶

GDPR Article 35 Requirement

1. Identification¶

Field	Value
Assessment Title	RedPick Automated Penetration Testing Platform
Date Conducted	2026-03-17
Responsible Party	BeDefended Privacy Team
Data Protection Officer	privacy@bedefended.com
Engagement Reference	[INSERT ENGAGEMENT NAME]
Version	1.0

2. Description of Processing¶

2.1 Purpose¶

Automated and manual penetration testing of web/mobile applications to identify and document security vulnerabilities for remediation by the client.

2.2 Lawful Basis¶

Primary: Contract - testing performed per signed engagement agreement (GDPR Art. 6(1)(b))
Secondary: Legitimate Interest - BeDefended's interest in security research (Art. 6(1)(f))

2.3 Processing Steps¶

Reconnaissance: Passive discovery of systems in scope (DNS, WHOIS, public sources)
Active Testing: Web crawling, API discovery, parameter fuzzing against authorized targets
Evidence Collection: Screenshots, HTTP responses, command output captured in logs
Data Handling: Findings organized, classified, anonymized where applicable
Reporting: Evidence summarized in professional report to client
Data Deletion: Engagement data purged after 1-year retention

2.5 Duration¶

Testing Period: [ENGAGEMENT DURATION]
Data Retention: 1 year post-engagement
Final Deletion: 1 year + 30 days

3. Necessity & Proportionality¶

3.1 Why Is This Processing Necessary?¶

Without capturing personal data artifacts: - ❌ Impossible to prove vulnerabilities exist (no evidence) - ❌ Impossible to demonstrate exploit chains - ❌ Impossible to provide actionable remediation steps - ❌ Client cannot fix without seeing the issue

3.2 Proportionality Test¶

Risk	Necessity	Mitigation
High — PII in HTTP responses	High — Proof of exposure	Pseudonymized in report; marked for client remediation
Medium — Error messages reveal framework	High — Identifies vulnerable framework	Same
Low — Incidental user ID in log	Low — Demo value only	Redacted in final report if not critical

Conclusion: Processing is proportionate and necessary.

4. Stakeholders & Consultation¶

4.1 Stakeholders Consulted¶

✅ Data Protection Officer (BeDefended)
✅ Penetration Testing Team
✅ Engineering Team (security measures)
✅ Client (scope & authorization)
⚠️ Data Subjects — Not directly consulted (bulk data, impractical); notice provided in privacy policy

4.2 Feedback Incorporated¶

Minimization: Only capture minimum necessary evidence
Pseudonymization: Redact non-essential PII in findings
Retention Limits: Delete after 1 year, not indefinitely
Transparency: Privacy policy published; phased rollout allows feedback

5. Risk Assessment¶

5.1 Risks of Not Processing Data¶

Risk	Likelihood	Impact	Severity
Cannot prove vulnerability exists	Certain	Liability (client can't remediate)	CRITICAL
Unable to guide remediation	Certain	Engagement worthless	CRITICAL
Loss of competitive advantage	High	Market disadvantage vs. competitors	HIGH

Mitigation: Proceed with processing; do not process without evidence.

5.2 Risks FROM Processing Data¶

Risk 1: Unauthorized Disclosure of Personal Data¶

Aspect	Assessment
Likelihood	Medium (human error, APT attack, insider threat)
Impact	HIGH — Exposed PII (names, emails, SSNs if captured, credentials)
Risk Score	HIGH
Mitigation	Encryption, access control, audit logging, staff training

Risk 2: Data Breach via Network Attack¶

Aspect	Assessment
Likelihood	Low (AWS/secured infrastructure, but intrinsic risk)
Impact	HIGH — All engagement data exfiltrated
Risk Score	MEDIUM
Mitigation	TLS 1.3, WAF, IDS, incident response, annual pen-testing of BeDefended

Risk 3: Unauthorized Retention¶

Aspect	Assessment
Likelihood	Low (automated deletion, but process failure risk)
Impact	MEDIUM — Data kept longer than allowed
Risk Score	LOW
Mitigation	Automated data-retention-purge.py script, quarterly audits, manual backup of deletion logs

Risk 4: Data Misuse by BeDefended Staff¶

Aspect	Assessment
Likelihood	Very Low (contractual obligations, confidentiality)
Impact	HIGH — Data used for competitive purposes or sold
Risk Score	MEDIUM
Mitigation	Background checks, NDAs, role-based access, audit logs monitored

Risk 5: Inadequate Pseudonymization¶

Aspect	Assessment
Likelihood	Medium (re-identification possible with metadata)
Impact	MEDIUM — Pseudo-anonymized data re-identified
Risk Score	MEDIUM
Mitigation	Report anonymizes non-critical PII; metadata minimization; legal basis (contract) allows re-identification

Risk 6: Data Shared with Unauthorized Sub-processors¶

Aspect	Assessment
Likelihood	Low (formal DPA process, but oversight risk)
Impact	HIGH — Third-party unauthorized access
Risk Score	MEDIUM
Mitigation	Audit of sub-processors quarterly; client notification of sub-processor changes (15-day notice period)

6. Mitigation & Safeguards¶

6.1 Technical Safeguards¶

Encryption¶

In Transit: TLS 1.3 for all API/web traffic
At Rest: AES-256-GCM for reports, engagement data
Key Management: AWS KMS or locally-managed per environment

Access Control¶

RBAC: Admin, pentester, client, client_viewer, bughunter roles
MFA: Mandatory for admin/pentester staff
Least Privilege: Each user can access only their engagement data
API Token Expiration: 30-minute JWT expiration + blacklist on logout

Monitoring & Auditing¶

Audit Logs: All access logged (user, action, timestamp, IP, user-agent)
Log Retention: 2 years per GDPR
Alerting: Automated alerts for:
5+ failed logins from same IP
Bulk data exports (>100 records)
Deletion of audit logs
Unauthorized sub-processor access

Vulnerability Management¶

Dependency Scanning: Weekly via Dependabot (pip, npm, Docker)
Penetration Testing: Annual external audit of BeDefended platform itself
Code Review: AI-assisted code review for SAST before deployment
Incident Response: 4-hour detection SLA, 24-72 hour notification

6.2 Organizational Safeguards¶

Staff Training¶

Annual GDPR/data protection training for all staff
Penetration testing code of ethics (PTES) adherence
Confidentiality agreements (NDAs) for all staff

Data Minimization¶

Capture Only: What's necessary to prove vulnerability
Redaction: Non-essential PII removed from report
De-identification: User IDs anonymized where non-critical
Deletion: Secure NIST-compliant deletion after retention period

Data Processing Agreements¶

Sub-processors: Formal DPA with all third-party vendors
Change Management: 15-day notice before sub-processor changes
Audit Rights: Annual audit of sub-processors

Incident Response Plan¶

Detection (< 4 hours) → Incident confirmed
Assessment (< 24 hours) → Scope, affected data categories
Notification (< 72 hours) → Supervisory authority + data subjects (if high-risk)
Remediation (< 7 days) → Containment, root cause fix, hardening

7. Necessity Reassessment¶

Question	Answer	Justification
Is processing of personal data necessary?	YES	Cannot prove security vulnerabilities without evidence
Are there less invasive alternatives?	NO	Testing requires observation of system behavior (logs, responses, screenshots)
Is the volume of data proportionate?	YES	Only incidental data captured during testing
Is retention limited appropriately?	YES	1-year retention aligns with industry standard + legal compliance
Are technical safeguards adequate?	YES	Encryption, access control, audit logging in place
Is transparency/consent adequate?	YES	Privacy policy published; client authorizes testing

Conclusion: Processing is JUSTIFIED under GDPR Art. 6(1)(b) (contract) and Art. 32 (security).

8. Consultation with Data Protection Authority¶

8.1 When Required¶

DPIA consultation required if: - ✅ High-risk processing remains after mitigation - ✅ Processing affects large number of data subjects - ✅ Systematic monitoring or profiling

This DPIA → Consultation required if engagement involves: - Healthcare systems (HIPAA data) - Financial systems (payment data) - Government systems - Biometric authentication - Automated decision-making

8.2 Request Process¶

If consultation needed: 1. Send completed DPIA to relevant DPA 2. Provide 30 days for review/feedback 3. Incorporate suggestions before proceeding 4. Document DPA feedback in engagement file

Contact: Italian DPA

9. Decision¶

9.1 Proceed or Not?¶

Criteria	Assessment	Decision
Necessity	Necessary to deliver service	✅ PROCEED
Proportionality	Mitigations adequate	✅ PROCEED
Safeguards	Technical controls in place	✅ PROCEED
Transparency	Privacy policy clear	✅ PROCEED

9.2 Final Recommendation¶

✅ APPROVED — Processing may proceed with the following conditions:

Client Authorization: Explicit written authorization from Controller confirms scope and consent
Engagement Scoping: Clear definition of in-scope systems and testing methodology
DPA Execution: Formal Data Processing Agreement signed before data collection begins
Staff Briefing: Penetration testing team receives briefing on data minimization/confidentiality
Deletion Verification: Post-engagement, written confirmation of data deletion provided to Client
Annual Review: This DPIA reviewed annually or upon significant process changes

10. Monitoring & Review¶

10.1 Ongoing Monitoring¶

Audit Logs Review: Monthly for unauthorized access/deletion patterns
Incident Review: All data-related incidents reviewed and documented
Sub-processor Audits: Quarterly sampling of sub-processor compliance
Regulatory Updates: Quarterly check for GDPR guidance changes (EDPB opinions)

10.2 Annual DPIA Review¶

Scheduled for March 2027 to assess: - Any breaches or near-misses? - Changes to testing methodology? - New sub-processors or vendors? - Regulatory updates or enforcement trends?

Update Schedule: DPIA updated upon: - Major process changes - High-risk incident (breach, unauthorized access) - Regulatory guidance (new EDPB opinion, court ruling) - Significant change to safeguards

Approval & Sign-Off¶

Prepared by: BeDefended Privacy Team

Reviewed by: Data Protection Officer

Approved by: [AUTHORIZATION]

Date: 2026-03-17

Next Review: 2027-03-17

Document Version: 1.0 | Classification: Internal | GDPR Article 35 Compliant