ScanForSecurity

Personal Data Processing Policy

Last updated: June 15, 2026

This Personal Data Processing Policy ("Policy") describes the framework through which ScanForSecurity processes personal data. It is designed to align with the EU/UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA), and the controls required by ISO/IEC 27001:2022 and ISO/IEC 27701:2019.

1. Scope and roles

ScanForSecurity acts as a data controller for personal data collected through its publication, account system, contact form, and newsletter. Where ScanForSecurity processes personal data on behalf of a third party (for example co-published research participants), ScanForSecurity may act as a data processor under a separate data processing agreement (DPA).

2. Data processing principles

All processing is governed by the GDPR Art. 5 principles:

  • Lawfulness, fairness, and transparency.
  • Purpose limitation. Data is collected for specified, explicit, and legitimate purposes.
  • Data minimization. Only what is necessary is processed.
  • Accuracy. Inaccurate data is corrected or deleted without delay.
  • Storage limitation. Data is kept only as long as required.
  • Integrity and confidentiality. Appropriate technical and organisational measures protect data.
  • Accountability. We can demonstrate compliance through records and audits.

3. Categories of personal data

  • Identifiers: name, email, account ID, IP address.
  • Authentication: hashed credentials, OAuth identifiers.
  • Communication: contact form submissions, newsletter preferences, support correspondence.
  • Technical: device, browser, referrer, log data.
  • Editorial contributions: comments, byline information for contributors.

We do not process special categories of personal data (GDPR Art. 9) unless explicitly required and supported by an appropriate legal basis.

4. Records of processing activities (RoPA)

We maintain an internal Record of Processing Activities under GDPR Art. 30, listing processing purposes, categories of data and recipients, international transfers, retention periods, and security measures. The RoPA is reviewed at least annually and upon any material change.

5. Data Protection Impact Assessments (DPIA)

A DPIA is performed before introducing any processing activity likely to result in a high risk to the rights and freedoms of data subjects, including new use of AI decision-making, biometric data, or large-scale tracking.

6. International data transfers

Where data is transferred outside the EEA/UK, we rely on European Commission adequacy decisions or the EU Standard Contractual Clauses (SCCs), and apply supplementary measures (e.g. encryption in transit and at rest, pseudonymisation) following the transfer impact assessment guidance of the European Data Protection Board.

7. Sub-processors and vendor management

Sub-processors are engaged under written DPAs that pass through GDPR Art. 28 obligations. Vendor selection includes security questionnaires, SOC 2 / ISO 27001 evidence where available, and periodic re-assessment.

8. Security controls

Our technical and organizational measures (TOMs), aligned with ISO/IEC 27001:2022 Annex A, include:

  • Access control: role-based access, least privilege, MFA for staff.
  • Cryptography: TLS 1.2+ in transit; AES-256 at rest.
  • Application security: secure SDLC, dependency scanning, code review, secrets management.
  • Operations: change control, logging and monitoring, backup and restore testing.
  • Network: segmentation, firewalling, DDoS protection.
  • People: confidentiality agreements, security awareness training.
  • Vulnerability management: continuous scanning, periodic penetration testing, coordinated disclosure.
  • Incident management: 24/7 on-call rotation; tested incident response plan.

9. Data subject rights

Requests under GDPR (access, rectification, erasure, restriction, portability, objection, withdrawal of consent) and CCPA/CPRA (know, delete, correct, limit use, opt-out of sale/share) are handled through a documented intake, identity-verification and response workflow with statutory turnaround times. We charge no fee for the first copy of personal data; subsequent or manifestly unfounded requests may attract a reasonable fee.

10. Retention and deletion

Retention periods are defined per data category in our records schedule (see Privacy Policy §6). On expiry, data is either deleted or anonymised so that re-identification is no longer reasonably possible.

11. Personal data breach response

Suspected breaches trigger our incident response procedure: containment, forensic assessment, regulatory notification within 72 hours where required by GDPR Art. 33, and notification to affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34).

12. Use of AI

We may use AI services to assist with content drafting and editing. AI providers process inputs as data processors under DPA; we do not submit personal data of readers to AI services, and we configure providers to disable training on our data where that option is available.

13. Governance

This Policy is owned by the ScanForSecurity privacy function, reviewed at least annually and after any material legal, organizational, or technological change. Non-compliance is addressed through corrective action and, where relevant, formal disciplinary processes.

14. Contact

Privacy / Data Protection contact: privacy@scanforsecurity.com.
Postal correspondence may be sent on request.