Intrudify Penetration Testing
Main Menu
CONTACT
CONTACT

Privacy Policy

1. Privacy Policy

1. INTRODUCTION

This Privacy Policy explains how Intrudify S.R.L. (“Intrudify”, “we”, “us”, or “our”) collects, uses, processes, and protects personal data in connection with our website (intrudify.com) and our penetration testing platform and services (collectively, the “Service”).

Intrudify is committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Romanian Law no. 190/2018 implementing GDPR, and all other applicable data protection laws.

By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data processing practices, please do not use the Service.

1.1 Data Controller

For the purposes of the GDPR, Intrudify S.R.L. is the data controller with respect to the personal data we collect directly from you (as described in Sections 2-8 of this Part A). For personal data encountered during penetration testing scans, Intrudify acts as a data processor on behalf of the Customer (see Part B: Data Processing Agreement).

1.2 Data Protection Officer

For questions regarding this Privacy Policy or to exercise your data subject rights, please contact us at: [email protected]

 

2. PERSONAL DATA WE COLLECT

2.1 Account and Registration Data

When you create an account, we collect: your full name and job title, company legal name and registration number, business email address, business address, phone number (if provided), and payment and billing information (processed through our payment service provider).

2.2 Service Usage Data

When you use the Service, we automatically collect: domains and Targets submitted for scanning, per-Target authorization attestations (including timestamps and IP addresses), scan configurations and settings, scan results and generated reports, IP addresses and browser/device information, login timestamps and session data, and feature usage patterns and platform interactions.

2.3 Communication Data

When you contact us, we collect: the content of your communications (emails, support requests, chat messages), your name and contact details, and any attachments or additional information you provide.

2.4 Website Analytics Data

When you visit our website, we may collect: pages visited and navigation patterns, referring URLs and exit pages, device type, operating system, and browser type, and approximate geographic location (country/region level).

 

3. LEGAL BASIS FOR PROCESSING

We process your personal data on the following legal bases under Article 6(1) of the GDPR:

Contractual Necessity (Article 6(1)(b)): Processing necessary to perform our contract with you, including providing the Service, processing payments, managing your account, and delivering scan results and reports.

Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, including improving the Service, ensuring platform security, detecting fraud and abuse, conducting analytics, and marketing (where applicable). We have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms.

Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal obligations, including tax and accounting requirements, responding to valid legal requests from authorities, and retaining records required by law.

Consent (Article 6(1)(a)): Where applicable, processing based on your explicit consent, such as for marketing communications. You may withdraw consent at any time.

 

4. HOW WE USE YOUR PERSONAL DATA

We use your personal data for the following purposes: providing, maintaining, and improving the Service; processing payments and managing subscriptions; verifying domain ownership and authorization; generating and delivering pentest reports; providing AI-powered remediation guidance; calculating and maintaining the Intrudify Security Score; communicating with you about your account, the Service, and support requests; detecting, investigating, and preventing fraud, abuse, and unauthorized use; complying with legal obligations and responding to lawful requests; and conducting analytics to improve the Service.

 

5. HOW WE SHARE YOUR PERSONAL DATA

5.1 Service Providers

We share personal data with third-party service providers who assist us in operating the Service, including: cloud infrastructure providers (hosting and data storage), payment processors (payment processing), email and communication providers (transactional communications), and analytics providers (website and service analytics).

All service providers are contractually bound to process personal data only on our instructions and in accordance with applicable data protection laws.

5.2 Legal and Regulatory Disclosures

We may disclose personal data: (a) to comply with applicable law, regulation, or legal process; (b) in response to valid requests from law enforcement or regulatory authorities; (c) to protect the rights, property, or safety of Intrudify, our customers, or third parties; and (d) in connection with an investigation of suspected violations of the Terms of Service or Acceptable Use Policy, including unauthorized scanning.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, personal data may be transferred to the acquiring entity. We will notify you of any such transfer and any changes to the applicable privacy practices.

5.4 No Sale of Personal Data

Intrudify does not sell personal data to third parties.

 

6. INTERNATIONAL DATA TRANSFERS

Your personal data may be transferred to and processed in countries outside the European Economic Area (“EEA”). When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place, including: Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR), adequacy decisions by the European Commission (Article 45 GDPR), or other lawful transfer mechanisms under the GDPR.

You may request information about the specific safeguards applied to your data by contacting us at [email protected].

 

7. DATA RETENTION

We retain personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements. Specific retention periods are as follows:

  • Account data: retained for the duration of your account and for 24 months following account closure;
  • Scan results and reports: retained for 36 months following generation, or longer if required for ongoing subscription services;
  • Attestation records (per-Target authorization confirmations): retained for 60 months following the last scan associated with the Target;
  • Audit logs (scan initiation, Target addition, account activity): retained for 60 months;
  • Payment records: retained as required by Romanian tax and accounting laws (currently 10 years);
  • Communication data: retained for 24 months following the last communication; and
  • Website analytics data: retained for 24 months.

When personal data is no longer required, it is securely deleted or anonymized.

 

8. YOUR RIGHTS UNDER GDPR

Under the GDPR, you have the following rights with respect to your personal data:

Right of Access (Article 15): You may request confirmation of whether we process your personal data and, if so, a copy of such data and information about how it is processed.

Right to Rectification (Article 16): You may request correction of inaccurate personal data or completion of incomplete personal data.

Right to Erasure (Article 17): You may request deletion of your personal data, subject to legal retention requirements and our legitimate interests.

Right to Restriction of Processing (Article 18): You may request that we restrict the processing of your personal data in certain circumstances.

Right to Data Portability (Article 20): You may request to receive your personal data in a structured, commonly used, machine-readable format.

Right to Object (Article 21): You may object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at www.dataprotection.ro, or with the supervisory authority of your habitual residence or place of work.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within thirty (30) days.

 

9. COOKIES AND TRACKING

Our website uses cookies and similar technologies. We use strictly necessary cookies to ensure the proper functioning of the website, analytics cookies to understand how visitors interact with our website (subject to your consent), and preference cookies to remember your settings and preferences. You can manage your cookie preferences through the cookie consent banner displayed on our website or through your browser settings.

 

10. SECURITY MEASURES

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including encryption of data in transit and at rest, access controls and authentication mechanisms, regular security assessments and monitoring, employee training on data protection, and incident response procedures.

 

11. CHILDREN’S PRIVACY

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete such data promptly.

 

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. Material changes will be communicated to you via email at least thirty (30) days before the changes take effect. The date of the most recent revision is indicated at the top of this document.

2. Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Customer and Intrudify S.R.L. and sets forth the parties’ obligations with respect to the processing of personal data by Intrudify on behalf of the Customer in connection with the Service.

 

1. DEFINITIONS

In this DPA, unless the context otherwise requires: “Controller” means Customer, who determines the purposes and means of the processing of Personal Data; “Processor” means Intrudify, who processes Personal Data on behalf of the Controller; “Data Subject” means an identified or identifiable natural person to whom the Personal Data relates; “Personal Data” means any information relating to a Data Subject that is processed by Intrudify in connection with the Service; “Processing” has the meaning given in Article 4(2) of the GDPR; “Sub-processor” means any third party engaged by Intrudify to process Personal Data on behalf of the Controller; and “Data Protection Laws” means the GDPR, Romanian Law no. 190/2018, and all other applicable data protection and privacy laws.

 

2. SCOPE AND PURPOSE OF PROCESSING

2.1 Categories of Data Subjects

The Personal Data processed under this DPA may relate to: users and visitors of the Customer’s Target applications, employees of the Customer whose credentials are used for authenticated scanning, and end users of the Customer’s services whose data may be stored in the Target application.

2.2 Types of Personal Data

During the course of penetration testing, Intrudify may encounter and process: usernames and email addresses, session tokens and authentication credentials (provided by Customer for authenticated scanning), personal data stored in databases accessible through the Target application, IP addresses and technical identifiers, and any other personal data present in the Target application’s responses.

2.3 Purpose of Processing

Intrudify processes Personal Data encountered during scanning solely for the purpose of: performing the automated penetration test, identifying vulnerabilities and security issues, generating the pentest report (which may include excerpts of data as evidence of findings), providing AI-powered remediation guidance, and calculating the Intrudify Security Score.

2.4 Duration of Processing

Intrudify processes Personal Data for the duration of the scan and the period necessary to generate and deliver the pentest report. Personal Data encountered during scanning is not retained beyond report generation and delivery, except as specifically included in the report as evidence of findings. Report retention periods are specified in Part A, Section 7.

 

3. OBLIGATIONS OF INTRUDIFY AS PROCESSOR

Intrudify shall:

  1. Process Personal Data only on documented instructions from the Customer, including with respect to transfers of Personal Data to third countries, unless required to do so by applicable law (in which case Intrudify shall inform the Customer of that legal requirement before processing, unless prohibited by law);
  2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate: pseudonymization and encryption of Personal Data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures;
  4. Not engage another Processor (Sub-processor) without prior specific or general written authorization of the Customer. In the case of general written authorization, Intrudify shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes;
  5. Assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights under the GDPR;
  6. Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Intrudify;
  7. At the choice of the Customer, delete or return all Personal Data to the Customer after the end of the provision of services relating to processing, and delete existing copies unless applicable law requires storage of the Personal Data; and
  8. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

 

4. SUB-PROCESSORS

4.1 Authorized Sub-processors

Customer provides general authorization for Intrudify to engage Sub-processors. As of the effective date of this DPA, Intrudify uses the following Sub-processors:

[INSERT TABLE OF SUB-PROCESSORS WITH: Name, Purpose, Location, Data Processed]

4.2 Notification of Changes

Intrudify shall notify the Customer in writing at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor. The Customer may object to the change within fifteen (15) days of receiving the notification. If the Customer objects and the parties cannot resolve the objection within thirty (30) days, either party may terminate the affected portion of the Service.

4.3 Sub-processor Obligations

Intrudify shall ensure that each Sub-processor is bound by data protection obligations no less protective than those set forth in this DPA.

 

5. DATA BREACH NOTIFICATION

Intrudify shall notify the Customer without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting Personal Data processed under this DPA. The notification shall include: a description of the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences of the breach, and the measures taken or proposed to be taken to address the breach.

Intrudify shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any personal data breach.

 

6. INTERNATIONAL TRANSFERS

Intrudify shall not transfer Personal Data outside the EEA without ensuring that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including where applicable the Standard Contractual Clauses approved by the European Commission.

 

7. AUDITS

Upon reasonable notice and no more than once per year (unless a data breach has occurred or a supervisory authority requires an audit), Customer may audit Intrudify’s compliance with this DPA. Audits shall be conducted during normal business hours, at the Customer’s expense, and in a manner that does not unreasonably disrupt Intrudify’s operations. Intrudify may satisfy audit requests by providing relevant certifications, audit reports, or other evidence of compliance.

 

8. LIABILITY

Each party’s liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

9. TERM

This DPA shall remain in effect for the duration of the Terms of Service and shall automatically terminate upon termination of the Terms of Service, without prejudice to Intrudify’s obligations regarding the deletion or return of Personal Data.

Last updated: 27 February 2026