SurfaceMind™ AI is now GA. See how we automate vulnerability validation.
Legal

Privacy Policy

Last updated: June 1, 2026

SurfaceScan is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

1. Who We Are

SurfaceScan ("Company", "we", "us", or "our") operates surfacescan.app and provides a continuous external attack surface management (EASM) platform for security teams.

If you have any questions about this Privacy Policy, please contact us at privacy@surfacescan.app.

2. Information We Collect

2.1 Information You Provide

  • Account registration data (name, work email, company name)
  • Domains, IP ranges, and ASNs you configure for scanning
  • Support requests and communications
  • Demo request forms and newsletter subscriptions

2.2 Information We Collect Automatically

  • Usage and telemetry data (pages visited, features used, session duration)
  • IP address and browser / device information
  • Log data and error reports
  • Cookies and similar tracking technologies (see Section 7)

2.3 Scan Data

When you configure domains for scanning, we collect and store metadata about your external attack surface — asset records, open ports, certificates, DNS records, and findings. We do not retain the raw contents of files or credentials beyond what is necessary to confirm a finding and immediately notify you.

3. How We Use Your Information

  • To provide, maintain, and improve the SurfaceScan platform
  • To deliver attack surface findings and security alerts
  • To respond to support requests and customer communications
  • To send product updates, security newsletters, and promotional communications (you may opt out at any time)
  • To detect, investigate, and prevent fraud, abuse, and security incidents
  • To comply with legal obligations
  • To perform anonymized, aggregate research on attack surface trends (never individually identifiable)

4. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, we process your personal data under the following legal bases:

  • Contract: Processing necessary to provide our services to you
  • Legitimate Interests: Security monitoring, product improvement, fraud prevention
  • Consent: Marketing communications and cookies (where required)
  • Legal Obligation: Compliance with applicable law

5. Data Sharing and Disclosure

We do not sell your personal data. We may share information with:

  • Service Providers: Cloud hosting, email delivery, analytics, and payment processing vendors who process data on our behalf under strict data processing agreements
  • Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets
  • Legal Requirements: When required by law, subpoena, or similar legal process
  • Safety: To protect the rights, property, or safety of SurfaceScan, our customers, or the public

6. Data Retention

We retain your data for as long as your account is active or as needed to provide services. Scan findings and asset records are retained for 24 months of rolling history by default, configurable per plan.

Upon account termination, we will delete or anonymize your personal data within 90 days, subject to legal hold obligations.

7. Cookies

We use cookies and similar tracking technologies to operate our platform and understand how it is used. You can manage cookie preferences using the Cookie Settings tool (available in the footer of every page).

  • Essential: Required for the platform to function (authentication, security)
  • Analytics: Aggregate usage data to improve the product (opt-out available)
  • Marketing: Used to measure the effectiveness of our campaigns (requires consent)

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data (right to erasure)
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Restriction: Request restriction of processing in certain circumstances
  • Withdraw Consent: Withdraw consent at any time for consent-based processing

To exercise any of these rights, contact us at privacy@surfacescan.app. We will respond within 30 days.

9. Security

We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, and regular third-party security audits. SurfaceScan is SOC 2 Type II certified. However, no system is 100% secure. In the event of a data breach, we will notify affected customers and regulators as required by applicable law.

10. International Transfers

SurfaceScan is headquartered in the United States. If you are located in the EEA, UK, or Switzerland, your data may be transferred to the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism. EU data residency is available for Enterprise customers.

11. Children's Privacy

SurfaceScan is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the platform. Your continued use of SurfaceScan after changes become effective constitutes acceptance of the revised policy.

13. Contact Us

For privacy-related questions, requests, or complaints:

Email: privacy@surfacescan.app

Data Protection Officer: dpo@surfacescan.app

You also have the right to lodge a complaint with your local data protection authority.