How We Protect Your Data
As a security company, we hold ourselves to the highest standards of information security. We are ISO 27001 certified, SOC 2 Type II audited, and designed from the ground up with European data protection requirements in mind.
Information security management system certified by an accredited third-party auditor.
Annual independent audit of our security, availability, and confidentiality controls.
Full compliance with EU GDPR, including EU data residency options and DPA agreements.
All customer data processed and stored exclusively within EU data centres.
Our Security Controls
We apply the same rigour to protecting your data that our platform applies to discovering your organisation's vulnerabilities.
Encryption Everywhere
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Encryption keys are managed using AWS KMS with regular rotation. Customer data is encrypted with customer-specific keys.
Infrastructure Security
Cloud-native infrastructure deployed on AWS within EU regions. VPC isolation, security group controls, and private subnets ensure no unnecessary internet exposure. Infrastructure as Code with security scanning in CI/CD.
Access Controls
Role-based access control with principle of least privilege. MFA required for all employees. Privileged access management for production system access. Comprehensive audit logging of all access and changes.
Vulnerability Management
Continuous security scanning of our own infrastructure and code. Annual penetration testing by independent security firms. Responsible disclosure programme with public bug bounty.
Security Testing
Annual external penetration tests conducted by CREST-accredited firms. SAST and DAST scanning in CI/CD pipelines. Dependency vulnerability scanning with automated patching workflows.
Incident Response
Documented incident response procedures tested quarterly. Security incident notification to affected customers within 72 hours. Dedicated security incident hotline for customer escalations.
Data Privacy and GDPR
All customer data is stored and processed in AWS eu-west-1 (Ireland) and eu-central-1 (Frankfurt). No data is transferred outside the European Economic Area.
We provide GDPR-compliant Data Processing Agreements (DPAs) for all customers. Our DPA includes all required Article 28 clauses and covers sub-processor obligations.
We collect only the data necessary to deliver our services. Our scanning is entirely passive and externally-observable — we never access your internal systems or networks.
Security scan data is retained for 24 months to support historical trend analysis. Customer account data is deleted within 30 days of contract termination.
Responsible Disclosure
We believe in working with the security research community to identify and address vulnerabilities. If you have discovered a potential security issue in ThreatLens360, we want to hear from you.