Privacy Policy¶
Last Updated: March 17, 2026
Effective Date: March 17, 2026
1. Data Controller¶
BeDefended S.r.l. - Address: Italy - Email: privacy@bedefended.com - Data Protection Officer (DPO): privacy@bedefended.com
2. Categories of Personal Data (GDPR Art. 13-14)¶
2.1 Identity Data¶
- Full name
- Email address
- Organization/Company name
- Professional title/role
- Contact information (phone number, address)
- Retention: Duration of engagement + 1 year
2.2 Authentication & Access Data¶
- Username
- Password hash (Argon2id)
- TOTP secret (Base32-encoded)
- Device fingerprints
- Session tokens (JWT)
- Login timestamps and IP addresses
- User agent information
- Retention: Duration of engagement + 90 days
2.3 Activity Data¶
- Actions performed within the platform
- API calls and parameters
- Reports generated and downloaded
- Findings created/modified
- Engagement status changes
- IP addresses and user agents for all actions
- Retention: 2 years (GDPR requirement, legal compliance)
2.4 Engagement & Testing Data¶
- Target URLs/domains being tested
- Vulnerabilities discovered
- Screenshots and evidence
- Technical findings
- Remediation recommendations
- Retention: 1 year (or per engagement agreement)
2.5 Communication Data¶
- Email correspondence
- Notifications sent
- Support tickets/messages
- Retention: 1 year after engagement completion
2.6 Payment Data (if applicable)¶
- Stripe customer ID
- Invoice history
- Billing address
- Retention: 7 years (tax/legal requirement)
3. Legal Basis for Processing (GDPR Art. 6)¶
| Data Category | Legal Basis | Purpose |
|---|---|---|
| Identity Data | Contract (Art. 6(1)(b)) | User registration, authentication, engagement management |
| Authentication Data | Legitimate Benefit (Art. 6(1)(f)) | System security, fraud prevention, account protection |
| Activity Data | Legal Obligation (Art. 6(1)(c)) | Compliance auditing, security monitoring, incident response |
| Engagement Data | Contract (Art. 6(1)(b)) | Service delivery, penetration testing |
| Communication Data | Contract (Art. 6(1)(b)) | Service support, notifications |
| Payment Data | Legal Obligation (Art. 6(1)(c)) | Tax compliance, financial record-keeping |
4. Special Data Processing (GDPR Art. 9)¶
BeDefended does NOT intentionally collect special category data (race, ethnicity, political opinions, religious beliefs, trade union membership, genetic data, biometric data for identification, health data, or sex life data).
If special category data is incidentally captured in penetration test evidence: - Data is immediately flagged for manual review - PHI/PII scanning is performed - Data controller is notified - Evidence is redacted per GDPR Art. 9(2)(e) (legal claims in employment context) or with explicit consent
5. Rights of Data Subjects (GDPR Art. 13-14, 15-22)¶
5.1 Right of Access (Art. 15)¶
Endpoint: GET /api/v1/privacy/export
Users can obtain a copy of all personal data in machine-readable JSON format. - Response time: 30 days - No fee
5.2 Right to Rectification (Art. 16)¶
Endpoint: PATCH /api/v1/users/{id}
Users can correct inaccurate personal data. - Request must specify inaccuracy - Correction processed within 15 days
5.3 Right to Erasure (Art. 17)¶
Endpoint: DELETE /api/v1/privacy/erase
Users can request deletion of their account and associated data ("Right to Be Forgotten"). - Account soft-deleted (marked inactive) - Personal data in audit logs anonymized (user_id → NULL) - User cannot log in after erasure - Response time: Immediate - Exceptions: Legal obligations (tax records retained 7 years)
5.4 Right to Data Portability (Art. 20)¶
Endpoint: GET /api/v1/privacy/export
Users can download personal data in JSON format for transfer to another service.
5.5 Right to Object (Art. 21)¶
Users can object to processing of personal data on grounds of legitimate interest. - Contact: privacy@bedefended.com - Processed within 30 days
5.6 Right to Restrict Processing (Art. 18)¶
Users can request that processing be limited (e.g., while dispute is resolved). - Contact: privacy@bedefended.com
5.7 Rights Related to Automated Decision-Making (Art. 22)¶
BeDefended does NOT use automated decision-making or profiling that produces legal effects.
All findings and recommendations are reviewed by humans before reporting.
6. Data Sharing & International Transfers¶
6.1 Third-Party Service Providers¶
Personal data is shared with the following processors (Data Processing Agreements in place):
| Service | Purpose | Location | Agreement |
|---|---|---|---|
| Stripe | Payment processing | US | SAC 2 Type II certified |
| SendGrid | Email delivery | US | SOC 2 Type II certified |
| AWS (optional) | Backup storage | EU/US (configurable) | Standard Contractual Clauses |
| GitHub (optional) | Source control | US | Standard Contractual Clauses |
6.2 International Data Transfers (GDPR Art. 44-49)¶
- EU/EEA: No transfer required
- US: Standard Contractual Clauses (SCC) in place per GDPR Art. 46(2)(c)
- Other countries: Assessed on case-by-case basis per GDPR Chapter V
All transfers comply with Schrems II ruling (see Section 6.3).
6.3 Supplementary Safeguards (Schrems II)¶
For US transfers, BeDefended implements: - Encryption end-to-end where feasible - Pseudo-anonymization of audit logs - Limited access controls at processor - Right to object to specific transfers
7. Data Retention & Deletion (GDPR Art. 17-18)¶
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Audit Logs | 2 years | Automated purge via data-retention-purge.py script |
| Engagement Data | 1 year | Soft-delete (logical deletion, not physical) |
| Inactive Accounts | 90 days of inactivity | Account marked inactive, data anonymized |
| Expired Sessions | 30 days after expiration | Automatic cleanup |
| Password Hashes | Duration of account | Deleted with account |
| Revoked Tokens | After expiration | Automatic cleanup (data-retention-purge.py) |
| Tax/Payment Records | 7 years | Legal requirement, encrypted storage |
Automatic Deletion: Runs weekly via cron job at 02:00 UTC.
Manual Execution: python dashboard/scripts/data-retention-purge.py --execute
8. Data Security (GDPR Art. 32, 33-34)¶
8.1 Technical Measures¶
- Passwords: Argon2id hashing (OWASP recommended)
- API Authentication: JWT with 30-minute expiration + blacklist on logout
- MFA: TOTP (Time-based One-Time Password) mandatory for admin/pentester roles
- Encryption at Rest: AES-256-GCM for sensitive documents/reports
- Encryption in Transit: TLS 1.3, HSTS (31536000 seconds), certificate pinning on desktop app
- Access Control: RBAC (admin, pentester, client, client_viewer, bughunter) with least-privilege principle
8.2 Organizational Measures¶
- Staff training on data protection
- Incident response plan (Section 9)
- Data Processing Agreements with all vendors
- Regular security audits
- Penetration testing (BeDefended platform itself)
- Backup and disaster recovery procedures
8.3 Monitoring & Logging¶
- All data access logged with timestamp, IP, user agent
- Failed authentication attempts tracked + progressive backoff
- Sensitive operations require approval/audit
9. Breach Notification (GDPR Art. 33-34)¶
9.1 Internal Process¶
If a personal data breach is detected: 1. Discovery → Assessment (4 hours) - Confirm breach occurred - Assess risk to rights/freedoms - Document incident
- Notification to Supervisory Authority (24-72 hours)
- If high risk, notify without undue delay
- Notification to Italian DPA by default
-
Include: nature of breach, likely consequences, contact point, measures taken
-
Notification to Data Subjects (72 hours)
- If high risk to personal rights/freedoms
- Plain language explanation
- Recommended protective measures
- Contact point for questions
- Proof of notification retained
9.2 Contact for Breach Reporting¶
Email: privacy@bedefended.com (monitored 24/7 for incidents)
10. Data Protection Officer (DPO)¶
Designation: Required under GDPR Art. 37(1)(b) for public authority/organization.
Contact: privacy@bedefended.com
Responsibilities: - Monitor GDPR compliance - Serve as contact point for data subjects & supervisory authorities - Conduct Data Protection Impact Assessments (DPIA) - Maintain records of processing
11. Consent & Cookie Management (GDPR Art. 7, 49)¶
11.1 Cookie Categories¶
- Essential (Necessary) — Session tokens, CSRF protection
- Lawful basis: Legitimate interest (Art. 6(1)(f))
-
No consent required
-
Functional — Language preference, UI settings
- Lawful basis: Legitimate interest
-
Consent required
-
Analytics — Usage statistics, feature adoption
- Lawful basis: Consent (Art. 6(1)(a))
-
Consent required
-
Marketing — Promotional emails, retargeting (if applicable)
- Lawful basis: Consent
- Consent required
11.2 Consent Withdrawal¶
Users can withdraw consent at any time via:
- Endpoint: POST /api/v1/privacy/consent-withdraw
- Email: privacy@bedefended.com
12. Data Subject Access Request (DSAR)¶
12.1 Submitting a DSAR¶
Email: privacy@bedefended.com
Include: - Your full name or company name - Email associated with account (if any) - Specific data you're requesting - Proof of identity
12.2 Response Timeline¶
- Standard: 30 calendar days from receipt
- Extension: Up to 60 additional days if request is complex/numerous
- Format: JSON (machine-readable), or PDF upon request
- Cost: Free (no charge for copies)
13. Automated Decision-Making & Profiling (GDPR Art. 22)¶
BeDefended DOES NOT: - Use automated scoring to deny access to services - Apply automated profiling that produces legal effects - Make findings/recommendations via purely automated means
Exception: Optional spam/credential detection in proxy analysis (advisory only, not binding).
14. Children's Data (GDPR Art. 8)¶
BeDefended services are NOT directed at children under 13.
If we discover a minor's data has been processed without parental consent, we will: 1. Delete data immediately 2. Notify the parent/legal guardian 3. Document the incident
Users under 18 may use the platform only with parental/guardian consent.
15. Policy Updates¶
This policy may be updated from time to time to reflect: - Changes in GDPR interpretation - New feature deployments - Regulatory feedback
Changes will be: - Posted at least 30 days before taking effect - Notified via email to active users - Archived with version history
16. Contact & Complaints¶
For Questions About This Policy:¶
Email: privacy@bedefended.com
To File a Complaint:¶
You have the right to lodge a complaint with a supervisory authority (DPA) in your country: - Italy: Garante per la protezione dei dati personali (www.garanteprivacy.it) - Your Country: Search "data protection authority [country name]"
Appendix A: GDPR Article References¶
| GDPR Section | Topic | Implementation |
|---|---|---|
| Art. 5 | Principles (lawfulness, fairness, transparency, etc.) | Section 3-4 above |
| Art. 6 | Lawful basis | Section 3 |
| Art. 9 | Special categories | Section 4 |
| Art. 13-14 | Information to provide | Sections 2, 6-7 |
| Art. 15 | Right of access | Section 5.1 |
| Art. 16 | Right to rectification | Section 5.2 |
| Art. 17 | Right to erasure | Section 5.3 |
| Art. 18 | Right to restrict | Section 5.6 |
| Art. 20 | Right to portability | Section 5.4 |
| Art. 21 | Right to object | Section 5.5 |
| Art. 22 | Automated decision-making | Section 13 |
| Art. 32 | Security of processing | Section 8 |
| Art. 33-34 | Breach notification | Section 9 |
| Art. 37-39 | Data Protection Officer | Section 10 |
Document Version: 1.0 | Updated: 2026-03-17