GDPR Compliance

1PenTesting Ltd is committed to protecting the privacy and rights of individuals under the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and outlines your rights as a data subject.

1. Our Role Under GDPR

Depending on how you use our Services, we may act as either a:

• Data Controller: When we collect and process your account information, usage data, and communications
• Data Processor: When we process data on behalf of our customers during security assessments

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

• Contract Performance: To provide our Services as agreed
• Legitimate Interests: To improve our Services, prevent fraud, and ensure security
• Legal Obligation: To comply with applicable laws and regulations
• Consent: For marketing communications and optional features

3. Your Rights Under GDPR

As a data subject, you have the following rights:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you, along with information about how it is processed.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data or completion of incomplete data.

Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data while concerns are being resolved.

Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format to transfer to another service.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, please contact our Data Protection Officer:

• Email: legal@1pentesting.com
• Subject line: "GDPR Request - [Your Right]"
• Include your full name and account email

We will respond to your request within 30 days. In complex cases, we may extend this by an additional 60 days with notice.

5. Data Protection Measures

We implement appropriate technical and organizational measures to ensure data security:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Access controls with role-based permissions
• Regular security assessments and penetration testing
• Employee training on data protection
• Incident response procedures
• Data minimization practices

6. International Data Transfers

When we transfer personal data outside the EEA, we ensure adequate protection through:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Data Processing Agreements with all sub-processors

7. Data Retention

We retain personal data only as long as necessary:

• Account data: Duration of account + 30 days
• Scan reports: 12 months (configurable)
• Billing records: 7 years (legal requirement)
• Support communications: 2 years

8. Sub-Processors

We use carefully selected sub-processors to provide our Services:

• Cloud Infrastructure: AWS (EU regions), Microsoft Azure (EU regions)
• Payment Processing: Stripe
• Email Services: SendGrid
• Analytics: Self-hosted (no third-party analytics)

A complete list of sub-processors is available upon request.

9. Data Processing Agreements

For customers who require a Data Processing Agreement (DPA), we provide:

• Standard DPA template compliant with GDPR Article 28
• Custom DPA negotiations for Enterprise customers
• Sub-processor lists and notification procedures

To request a DPA, contact us at legal@1pentesting.com.

10. Data Breach Notification

In the event of a personal data breach, we will:

• Notify the relevant supervisory authority within 72 hours
• Notify affected data subjects without undue delay if high risk
• Document the breach, its effects, and remedial actions
• Provide affected customers with a detailed incident report

11. Data Protection Officer

Our Data Protection Officer can be contacted at:

1PenTesting Ltd
Data Protection Officer
Email: legal@1pentesting.com

12. Supervisory Authority

If you are not satisfied with our response to your request, you have the right to lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO):

Information Commissioner's Office
Website: ico.org.uk
Phone: 0303 123 1113