1. Who We Are
SurfaceScan ("Company", "we", "us", or "our") operates surfacescan.app and provides a continuous external attack surface management (EASM) platform for security teams.
If you have any questions about this Privacy Policy, please contact us at privacy@surfacescan.app.
2. Information We Collect
2.1 Information You Provide
- Account registration data (name, work email, company name)
- Domains, IP ranges, and ASNs you configure for scanning
- Support requests and communications
- Demo request forms and newsletter subscriptions
2.2 Information We Collect Automatically
- Usage and telemetry data (pages visited, features used, session duration)
- IP address and browser / device information
- Log data and error reports
- Cookies and similar tracking technologies (see Section 7)
2.3 Scan Data
When you configure domains for scanning, we collect and store metadata about your external attack surface — asset records, open ports, certificates, DNS records, and findings. We do not retain the raw contents of files or credentials beyond what is necessary to confirm a finding and immediately notify you.
3. How We Use Your Information
- To provide, maintain, and improve the SurfaceScan platform
- To deliver attack surface findings and security alerts
- To respond to support requests and customer communications
- To send product updates, security newsletters, and promotional communications (you may opt out at any time)
- To detect, investigate, and prevent fraud, abuse, and security incidents
- To comply with legal obligations
- To perform anonymized, aggregate research on attack surface trends (never individually identifiable)
4. Legal Bases for Processing (GDPR)
For users in the European Economic Area (EEA) and UK, we process your personal data under the following legal bases:
- Contract: Processing necessary to provide our services to you
- Legitimate Interests: Security monitoring, product improvement, fraud prevention
- Consent: Marketing communications and cookies (where required)
- Legal Obligation: Compliance with applicable law
5. Data Sharing and Disclosure
We do not sell your personal data. We may share information with:
- Service Providers: Cloud hosting, email delivery, analytics, and payment processing vendors who process data on our behalf under strict data processing agreements
- Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets
- Legal Requirements: When required by law, subpoena, or similar legal process
- Safety: To protect the rights, property, or safety of SurfaceScan, our customers, or the public
6. Data Retention
We retain your data for as long as your account is active or as needed to provide services. Scan findings and asset records are retained for 24 months of rolling history by default, configurable per plan.
Upon account termination, we will delete or anonymize your personal data within 90 days, subject to legal hold obligations.
7. Cookies
We use cookies and similar tracking technologies to operate our platform and understand how it is used. You can manage cookie preferences using the Cookie Settings tool (available in the footer of every page).
- Essential: Required for the platform to function (authentication, security)
- Analytics: Aggregate usage data to improve the product (opt-out available)
- Marketing: Used to measure the effectiveness of our campaigns (requires consent)
8. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data (right to erasure)
- Portability: Request your data in a machine-readable format
- Objection: Object to processing based on legitimate interests
- Restriction: Request restriction of processing in certain circumstances
- Withdraw Consent: Withdraw consent at any time for consent-based processing
To exercise any of these rights, contact us at privacy@surfacescan.app. We will respond within 30 days.
9. Security
We implement industry-standard security measures including encryption in transit (TLS 1.3) and at rest (AES-256), role-based access controls, and regular third-party security audits. SurfaceScan is SOC 2 Type II certified. However, no system is 100% secure. In the event of a data breach, we will notify affected customers and regulators as required by applicable law.
10. International Transfers
SurfaceScan is headquartered in the United States. If you are located in the EEA, UK, or Switzerland, your data may be transferred to the US. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism. EU data residency is available for Enterprise customers.
11. Children's Privacy
SurfaceScan is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the platform. Your continued use of SurfaceScan after changes become effective constitutes acceptance of the revised policy.
13. Contact Us
For privacy-related questions, requests, or complaints:
Email: privacy@surfacescan.app
Data Protection Officer: dpo@surfacescan.app
You also have the right to lodge a complaint with your local data protection authority.