Privacy Policy

1. Introduction

Welcome to SurfaceGuard. This Privacy Policy outlines how we collect, process, and protect your data when you use the SurfaceGuard platform for External Attack Surface Monitoring (EASM). We are committed to maintaining the highest standard of data security and transparency.

Under applicable data protection laws, SurfaceGuard acts exclusively as the Data Processor for your security-related scan data, while you retain all rights, responsibilities, and obligations as the Data Controller of the environments you monitor.

2. Types of Data We Process

In the course of providing our services, we process the following categories of data:

• Account Data: Authentication identifiers, email addresses, and profile information necessary for platform access (managed securely via our authentication provider).
• Scan Input Data: Target domains, IP addresses, and digital assets you explicitly authorize us to monitor. You retain sole and exclusive ownership of all scan inputs.
• Security Scan Results: Output from our deterministic scanners, including open ports, DNS configurations (SPF, DKIM, DMARC), TLS/SSL mappings, HTTP misconfigurations, and CORS policies. You exclusively own all resulting security data generated by our platform.
• Exposure Intelligence: Known breached credentials and leaked access tokens (such as AWS keys or GitHub tokens) discovered on third-party public repositories or databases.
• Infrastructure & Asset Data: Publicly queryable information discovering cloud storage, CDN usage, MX records, and API endpoints.
• Logs and Technical Metadata: Operational logs, error reports, and platform telemetry utilized strictly for service reliability and abuse prevention.

3. How Data Is Collected

We collect data through the following mechanisms:

• User Input: Data you provide directly when creating an account, configuring scan targets, or verifying domain ownership.
• Automated Scanning: Active, non-destructive network polling and deterministic scanning of your authorized, internet-facing assets.
• Third-Party Intelligence Sources: We enrich asset definitions by querying reputable public and commercial sources, including HaveIBeenPwned (HIBP) for credential exposure, GitHub/GitLab/DockerHub public API searches for secret leaks, Certificate Transparency logs (crt.sh), and RDAP registries.

4. Purpose of Processing

The data we collect is utilized exclusively to provide and improve the SurfaceGuard platform. Specifically, we use it for:

• Automated security analysis and asset mapping.
• Deterministic risk scoring based on verifiable network evidence.
• Continuous monitoring and automated alerting regarding changes to your attack surface (via historical snapshot hashing).
• Generating on-demand PDF executive reports and technical remediation exports.

5. Legal Basis for Processing

For users subject to the GDPR or similar regulatory frameworks, our legal bases for processing include:

• Performance of a Contract: Processing is necessary to deliver the EASM services you requested as the Data Controller.
• Legitimate Interests: Operating our platform securely, investigating abuse, and maintaining service reliability.
• Consent: Where explicitly obtained, for specific communications.

Sub-Processors

The Service relies on the following third-party sub-processors for core functionality:

• Supabase Cloud database, authentication & real-time APIs EU / US
• Resend Email notification delivery US
• DodoPayments Subscription billing & payment processing US
• HaveIBeenPwned Credential breach lookups (HIBP) UK
• GitHub · GitLab · DockerHub Public repository scanning for exposed secrets US
• Shodan Optional threat intelligence enrichment US

All sub-processors are contractually obligated to protect your data with equivalent security standards. For a detailed list of current sub-processors or to request changes, contact privacy@externalsight.com.

6. Data Sharing Policy

7. Data Retention

We retain account data for as long as your account is active. Operational scan results and historical analysis states—which remain your intellectual property—are stored in our secure databases as compressed JSON objects to facilitate timeline comparisons and change detection.

Scan Retention by Plan: To optimize storage and performance, completed scans are retained according to your subscription tier:

You may request permanent deletion of your entire account and associated scan histories at any time by contacting privacy@externalsight.com.

8. Data Security Measures

We implement rigorous, enterprise-grade security protocols, including:

• Encryption: Data is encrypted at rest and in transit using industry-standard cryptography.
• Access Control: Strict Role-Based Access Control and Row Level Security (RLS) enforced at the database level to guarantee logical isolation between tenant environments.
• Authentication: Secure, token-based authentication (JWT) powered by Supabase.

9. User Rights

Depending on your jurisdiction, you have the right to access, rectify, port, or erase your personal data, as well as the right to restrict or object to certain processing. To exercise these rights, please contact our privacy team at privacy@externalsight.com. We will respond within 10 business days.

Account Deletion: To request permanent deletion of your account and all associated scan data, email privacy@externalsight.com with subject line "Account Deletion Request."

10. International Data Transfers

Your data may be processed in regions outside your jurisdiction. We utilize standard contractual clauses or equivalent legal mechanisms to legally safeguard all cross-border data transfers.

11. Changes to Policy

We frequently assess our privacy practices. Any material updates to this Privacy Policy will be communicated via the platform or email.