Your Data, Your Rights
1. Introduction
Welcome to Externalsight. This Privacy Policy outlines how we collect, process, and protect your data when you use the Externalsight platform for External Attack Surface Monitoring (EASM). We are committed to maintaining the highest standard of data security and transparency.
Under applicable data protection laws, Externalsight acts exclusively as the Data Processor for your security-related scan data, while you retain all rights, responsibilities, and obligations as the Data Controller of the environments you monitor.
2. Types of Data We Process
In the course of providing our services, we process the following categories of data:
- Account Data: Authentication identifiers, email addresses, and profile information necessary for platform access (managed securely via our authentication provider).
- Scan Input Data: Target domains, IP addresses, and digital assets you explicitly authorize us to monitor. You retain sole and exclusive ownership of all scan inputs.
- Security Scan Results: Output from our deterministic scanners, including open ports, DNS configurations (SPF, DKIM, DMARC), TLS/SSL mappings, HTTP misconfigurations, and CORS policies. You exclusively own all resulting security data generated by our platform.
- Exposure Intelligence: Passive credential exposure signals and leaked access-token patterns derived from scanner evidence.
- Infrastructure & Asset Data: Publicly queryable information discovering cloud storage, CDN usage, MX records, and API endpoints.
- Logs and Technical Metadata: Operational logs, error reports, and platform telemetry utilized strictly for service reliability and abuse prevention.
3. How Data Is Collected
We collect data through the following mechanisms:
- User Input: Data you provide directly when creating an account, configuring scan targets, or verifying domain ownership.
- Automated Scanning: Active, non-destructive network polling and deterministic scanning of your authorized, internet-facing assets.
- Public Intelligence Sources: We enrich asset definitions from public records and scanner evidence, including Certificate Transparency logs, RDAP registries, and publicly observable exposure signals.
While we select our intelligence partners carefully, Externalsight acts solely as an aggregation mechanism for these sources and does not warrant or guarantee the absolute completeness, timing, or accuracy of third-party datasets.
4. Purpose of Processing
The data we collect is utilized exclusively to provide and improve the Externalsight platform. Specifically, we use it for:
- Automated security analysis and asset mapping.
- Deterministic risk scoring based on verifiable network evidence.
- Continuous monitoring and automated alerting regarding changes to your attack surface (via historical snapshot hashing).
- Generating on-demand PDF executive reports and technical remediation exports.
5. Legal Basis for Processing
For users subject to the GDPR or similar regulatory frameworks, our legal bases for processing include:
- Performance of a Contract: Processing is necessary to deliver the EASM services you requested as the Data Controller.
- Legitimate Interests: Operating our platform securely, investigating abuse, and maintaining service reliability.
- Consent: Where explicitly obtained, for specific communications.
Data Processing Agreement (DPA): For enterprise customers and users subject to applicable data protection regulations, a formalized Data Processing Agreement is available upon request. Externalsight utilizes strictly audited sub-processors to deliver The Service, all of which are bound by equivalent, legally binding data protection obligations.
Sub-Processors
The Service relies on the following third-party sub-processors for core functionality:
- Supabase Cloud database, authentication & real-time APIs EU / US
- Resend Email notification delivery US
- DodoPayments Subscription billing & payment processing US
- Passive Credential Signals Internal scanner-derived exposure indicators UK
- GitHub · GitLab · DockerHub Public repository scanning for exposed secrets US
- Shodan Optional threat intelligence enrichment US
All sub-processors are contractually obligated to protect your data with equivalent security standards. For a detailed list of current sub-processors or to request changes, contact privacy@externalsight.com.
6. Data Sharing Policy
Externalsight does not and will not sell your data. We share data only with trusted service providers essential to delivering our platform (e.g., cloud hosting, authentication providers) under strict confidentiality and data-processing agreements.
7. Data Retention
We retain account data for as long as your account is active. Operational scan results and historical analysis states — which remain your intellectual property — are stored in our secure databases as compressed JSON objects to facilitate timeline comparisons and change detection.
Scan Retention by Plan: To optimize storage and performance, completed scans are retained according to your subscription tier:
| Plan | Scan History Retained | Notes |
|---|---|---|
| Recon | Last 2 full scans | Older scans automatically removed |
| Sentinel | Last 3 full scans plus 12 summary-only historical records | Targeted category scans retain the last 3 records per domain |
| Fortress | Last 3 full scans plus 12 summary-only historical records | Targeted category scans retain the last 3 records per domain |
Summary-only records keep scan metadata and issue summaries but remove the full compressed report payload. When a domain is deleted, its scans and alerts are permanently removed through database cascades. You may request permanent deletion of your entire account and associated scan histories at any time by contacting privacy@externalsight.com.
8. Data Security Measures
We implement rigorous, enterprise-grade security protocols, including:
- Encryption at Rest & In Transit: Data is encrypted using industry-standard cryptography across all storage and transmission paths.
- Access Control: Strict Role-Based Access Control and Row Level Security (RLS) enforced at the database level to guarantee logical isolation between tenant environments.
- Authentication: Secure, token-based authentication (JWT) powered by Supabase with RS256/ES256 algorithm validation at the middleware layer.
9. User Rights
Depending on your jurisdiction, you have the right to access, rectify, port, or erase your personal data, as well as the right to restrict or object to certain processing. To exercise these rights, please contact our privacy team at privacy@externalsight.com. We will respond within 10 business days.
Account Deletion: To request permanent deletion of your account and all associated scan data, email privacy@externalsight.com with subject line "Account Deletion Request."
10. International Data Transfers
Your data may be processed in regions outside your jurisdiction. We utilize standard contractual clauses or equivalent legal mechanisms to legally safeguard all cross-border data transfers.
11. Changes to Policy
We frequently assess our privacy practices. Any material updates to this Privacy Policy will be communicated via the platform or email. Continued use of the platform after changes constitutes acceptance of the revised policy.