Legal

Data Protection

Operational data protection terms for BreachScope account data, scan data, logs, settings, and optional customer-owned provider keys.

Last updated: May 20, 2026

Roles

For account, billing where applicable, product analytics, security, and site operations, the service operator generally acts as an independent controller. For scan data, findings, project records, integration metadata, and customer-supplied provider keys processed through the service, the operator generally acts as a processor or service provider on behalf of the customer.

Processing Instructions

BreachScope processes customer data to provide the product, secure the service, troubleshoot issues, comply with law, and complete workflows the customer enables. Customer-enabled workflows may include scan ingestion, policy evaluation, evidence export, notification routing, ticket creation, model-assisted analysis, and web intelligence.

Security Measures

  • Scoped dashboard API keys for automation.
  • Hashing for authentication API keys.
  • AES-256-GCM encryption for saved provider keys.
  • Payload validation and upload size limits.
  • Audit logs for sensitive project activity.
  • Sandbox defaults that exclude local environment files unless explicitly included.
  • Rate limiting support through Upstash Redis configuration.

Subprocessors And Integrations

BreachScope may use hosting, database, authentication, analytics, logging, email, security, and support providers to operate the service. Customer-enabled integrations send selected data to provider accounts configured by the customer. Customers are responsible for provider terms, credentials, and access scopes.

Deletion And Return

Scan records and findings can be deleted through available dashboard controls. Account, audit, security, and backup records may remain for a limited period where needed for legal, security, continuity, or dispute-resolution reasons.

Incidents

If BreachScope becomes aware of unauthorized access to customer data, the operator should investigate, contain the issue, preserve relevant logs, and notify affected customers without undue delay where notification is required.

International Transfers

Data may be processed in locations where the service, hosting providers, or customer-enabled integrations operate. Customers are responsible for deciding whether connected providers and transfer mechanisms fit their compliance needs.