This Privacy Policy explains how DefZero collects, uses, stores, and protects personal data in connection with the beta website, beta access requests, onboarding communications, and use of the SecRaptor service.
1. Controller and contact
DefZero is an unincorporated sole proprietorship (eenmanszaak) established in the Netherlands and is the controller for the personal data described in this policy for the beta site and related account onboarding processes.
DefZero is registered with the Netherlands Chamber of Commerce (KVK) under number 93371896.
For customer-directed use of Tenant-Managed Scope, where DefZero processes personal data contained in customer-submitted targets, scan configurations, scan results, vulnerability findings, asset metadata, reports, or related customer environment data on behalf of a customer, DefZero generally acts as processor and the customer generally acts as controller. DefZero remains an independent controller for account administration, platform security, abuse prevention, legal compliance, enforcement of beta or scope boundaries, and establishment, exercise, or defence of legal claims.
For privacy or data protection questions, contact [email protected] or [email protected].
2. Personal data we collect
We may collect personal data directly from you, from your organization, and from service usage.
- Beta and demo request details such as full name, business email, company name, phone number, website, and country or region.
- Verification and onboarding records, including beta-scope confirmations, legal acceptance records, invitation-code status, rejected Target submission attempts, and workspace onboarding decisions.
- Communications data such as support or onboarding emails.
- Technical and security data such as IP-derived records, timestamps, user agent information, request logs, anti-abuse data, and security-event records.
- Cookie and analytics consent records, including the time of the choice, consent version, consent source, browser or user-agent information, and IP address. These records are kept to evidence the consent choice, prevent abuse, and resolve disputes about whether analytics or related cookies were accepted.
- For ordinary site requests, IP addresses may be stored in hashed or otherwise pseudonymized form. If abuse, attack activity, unauthorized scanning, excessive requests, form abuse, CAPTCHA or anti-abuse failure, or other security misuse is suspected, DefZero may log raw IP addresses, user agent details, request metadata, timestamps, and related technical evidence.
- Platform account, tenant, and usage information if your organization is onboarded.
- Customer-submitted target and scope data, where Tenant-Managed Scope is approved, such as domains, URLs, IP addresses, hostnames, applications, cloud resource identifiers, repositories, endpoints, network ranges, systems, scan restrictions, and other customer-authorized scan targets.
- Scan and evaluation data generated through customer-directed use of SecRaptor, such as scan configurations, scan results, vulnerability findings, asset metadata, timestamps, technical logs, security-event records, administrator actions, reports, and related evidence generated by the platform.
- OSINT and passive exposure data connected to approved scans, including data obtained from or submitted to third-party OSINT sources such as Shodan where OSINT enrichment is enabled.
- Tenant-Managed Scope records, including enablement records, signed or accepted scope acknowledgements, target submission records, rejected target attempts, administrator actions, audit logs, and related scope-control records.
3. How we use personal data
Business email and related request details are required to review a beta or demo request, verify that the request is associated with the correct organization, communicate next steps, and coordinate manual onboarding. If required request information is not provided, DefZero may be unable to review the request, schedule a demo, or provide beta access.
- To review beta access requests and assess business fit and authorization.
- To communicate about demos, beta requests, approval decisions, and onboarding.
- To create and administer beta or demo workspaces if access is approved.
- To send onboarding, support, security, and service communications.
- To protect the beta site and service against abuse, fraud, and unauthorized use.
- To maintain records of legal acceptance, beta-scope confirmations, rejected Target submission attempts, security events, and operational actions.
- To improve the product, onboarding flow, and related documentation.
- To provide, operate, support, and secure approved Tenant-Managed Scope functionality.
- To process customer-submitted targets, scan configurations, scan results, vulnerability findings, reports, and related customer environment data for customer-directed beta evaluation use.
- To perform OSINT and passive exposure enrichment for approved targets, including by querying third-party OSINT providers such as Shodan where OSINT enrichment is enabled.
- To evidence customer instructions, enforce agreed beta and scope boundaries, prevent unauthorized scanning, investigate abuse, and protect DefZero, customers, and third parties.
- To restrict, suspend, or disable Tenant-Managed Scope, specific targets, scan settings, or platform access where use appears unauthorized, unsafe, unlawful, abusive, outside agreed scope, or likely to create legal, operational, security, or reputational risk.
4. Legal bases
Depending on the context, we process personal data on the basis of contract, legitimate interests, consent, and legal obligations.
- Contract: where processing is necessary to evaluate or provide the requested service.
- Legitimate interests: for security, attack detection, abuse prevention, fraud prevention, service improvement, business operations, legal acceptance records, scope-control records, and defence of legal claims.
- Consent: where we rely on your explicit submission or acceptance in a website flow.
- Legal obligation: where records or disclosures are required by GDPR, the Dutch Implementation Act on the GDPR (UAVG), tax, accounting, court, regulator, or other applicable law.
- Processor instructions: where DefZero acts as processor for customer-directed Tenant-Managed Scope data, DefZero processes personal data on the customer's documented instructions under the applicable agreement, Tenant-Managed Scope Authorization, and/or Data Processing Agreement. DefZero may process related account, security, abuse-prevention, legal acceptance, scope-control, and audit records as an independent controller on the legal bases described above.
5. Sharing and processors
We do not sell personal data. We may share personal data with service providers that help us host the site, provide email delivery, secure the service, and operate the platform.
Where CAPTCHA, bot-detection, email delivery, hosting, logging, or security tooling is configured, those providers may process technical and contact data needed to provide those services, including customer-directed evaluation data where applicable.
Where OSINT enrichment is enabled for an approved target, SecRaptor may query third-party OSINT providers such as Shodan. This may involve sending target identifiers such as domains, hostnames, or IP addresses to that provider and receiving passive exposure, port, banner, certificate, vulnerability, or related public-internet metadata in return.
The main recipient categories are hosting and infrastructure providers such as AWS, CDN and security providers such as Cloudflare, Cloudflare Web Analytics where enabled, email delivery providers, CAPTCHA and bot-detection providers, OSINT providers such as Shodan where OSINT enrichment is enabled, and logging or security operations tooling.
Where DefZero processes personal data on behalf of a customer in connection with Tenant-Managed Scope, customer-submitted targets, scan results, reports, or related customer environment data, the parties may enter into a Data Processing Agreement / verwerkersovereenkomst. That agreement will govern DefZero's processing of such personal data on behalf of the customer.
We may also disclose information where required by law, to enforce our terms, to protect rights and security, or in connection with a corporate transaction.
6. Cookies, local storage, and infrastructure metadata
The beta site may use Cloudflare Web Analytics to understand beta launch traffic, page views, and basic site performance. DefZero does not use advertising cookies, marketing pixels, or cross-site tracking technologies. Web analytics is loaded by the beta site only after the visitor accepts the cookie and analytics notice. DefZero may keep a consent record containing the visitor's IP address, browser or user-agent information, time of acceptance, consent version, and choice so it can evidence the acceptance and handle misuse or disputes. The site may use strictly necessary cookies for security, session integrity, CSRF protection, rate limiting, and form submission. The site may also use local storage to remember interface preferences such as theme choice and to remember that the cookie notice has been acknowledged.
Because the site may be served through Cloudflare and hosted on AWS or similar infrastructure, those providers may process visitor IP addresses, request metadata, security signals, and technical logs needed to deliver, secure, measure, and operate the site. If Cloudflare Web Analytics, Cloudflare Turnstile, or another CAPTCHA/bot-detection service is enabled, that provider may process technical signals needed to measure visitor traffic, site performance, or distinguish human visitors from automated abuse.
If advertising, tracking pixels, cross-site tracking, or other non-essential cookies are added later, DefZero will update this policy and request consent where required before using them.
7. International transfers
We aim to use providers and hosting arrangements that are suitable for business and security use, with EU/EEA hosting preferred where available. Where personal data is transferred outside the EU/EEA, we rely on lawful transfer mechanisms and appropriate safeguards, such as adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, or Standard Contractual Clauses.
8. Retention
We retain personal data for as long as reasonably necessary for the purposes described in this policy, including onboarding records, security logging, support handling, legal compliance, and dispute resolution.
Beta verification tokens expire after 24 hours. Expired unverified signup records may be deleted after 30 days. Declined, inactive, or non-proceeding demo and beta requests may be retained for up to 12 months. Approved beta, onboarding, legal acceptance, and beta-scope records may be retained for the duration of the beta relationship and up to 7 years where needed for business records, audit, legal compliance, enforcement, or defence of claims.
Ordinary request records are generally kept in hashed or pseudonymized form where practical and are generally retained for up to 90 days. Security-event records, including raw IP addresses and technical details connected to suspected abuse, attacks, unauthorized scanning, excessive requests, or other misuse, may be retained for up to 24 months, or up to 5 years for confirmed serious security incidents or legal disputes.
Cookie and analytics consent records may be retained for up to 24 months, or longer where needed to establish, exercise, or defend legal claims.
If a beta request does not proceed, we may still retain limited records needed for abuse prevention, audit, or legal purposes.
Legal-acceptance, beta-scope, rejected Target submission, and onboarding records may be retained where necessary to evidence customer instructions, enforce beta boundaries, or establish, exercise, or defend legal claims.
Customer-submitted targets, scan configurations, scan results, reports, Tenant-Managed Scope records, and related evaluation records may be retained for the duration of the beta, evaluation, pilot, subscription, or customer relationship, and thereafter for the period reasonably required for security, audit, legal compliance, dispute resolution, enforcement of scope boundaries, abuse prevention, or defence of claims, unless a shorter retention period is agreed in a separate written agreement or Data Processing Agreement.
When beta or evaluation access ends, DefZero may delete or de-identify customer evaluation data and related beta records, except where continued retention is reasonably required for security, audit, legal compliance, dispute resolution, abuse prevention, enforcement of scope boundaries, or defence of claims, or where a different retention period is agreed in a separate written agreement or Data Processing Agreement.
9. Security
We use reasonable technical and organizational measures to protect personal data, including access controls, logging, anti-abuse measures, and security-focused operational practices.
Email addresses are stored for communication, verification, demo coordination, and beta onboarding. Application logs should avoid recording raw requester email addresses during normal email sending; email-related events may use counts, status values, or hashed fingerprints instead.
For Tenant-Managed Scope, DefZero may use access controls, audit logs, target restrictions, scope controls, scan restrictions, abuse detection, and suspension or disablement controls to reduce the risk of unauthorized, unsafe, or out-of-scope scanning.
10. Your rights
Subject to applicable law, you may have rights to access, correct, delete, restrict, object to, or port certain personal data, and to withdraw consent where consent is the basis for processing.
To exercise a privacy right, contact [email protected] with enough information for us to identify your request.
Where DefZero processes personal data on behalf of a customer as processor, DefZero may refer the request to the relevant customer or handle it in accordance with the customer's instructions and the applicable Data Processing Agreement.
11. Policy updates
We may update this Privacy Policy from time to time. The current version published on this beta site applies from its stated effective date.