GDPR Compliance

Last updated: January 21, 2026 Effective: January 21, 2026

Summary: NegevSecure is fully committed to GDPR compliance. We protect your personal data, respect your rights as a data subject, and maintain transparency about how we process your information. This page explains your rights and how we fulfill our obligations under the General Data Protection Regulation.

1. Our Commitment to GDPR

NegevSecure is fully committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR").

2. Scope & Applicability

2.1 Who This Applies To

This GDPR Compliance notice applies to:

Individuals located in the European Economic Area (EEA)
Individuals located in the United Kingdom
Individuals located in Switzerland
Any processing of personal data of EU/UK residents regardless of where we are located

2.2 Services Covered

This notice covers all NegevSecure services, including:

Our website at negevsecure.com
The NegevSecure security testing platform
Our APIs and integrations
Customer support services
Marketing communications

3. Data Controller vs Data Processor

Under GDPR, organizations can act as either a Data Controller or a Data Processor. NegevSecure operates in both capacities depending on the context:

3.1 NegevSecure as Data Controller

We act as the Data Controller when we determine the purposes and means of processing personal data, such as:

Account registration and management
Customer relationship management
Billing and payment processing
Marketing communications (with consent)
Website analytics and improvement
Customer support interactions

As a Data Controller, we are directly responsible for ensuring GDPR compliance for these processing activities.

3.2 NegevSecure as Data Processor

We act as a Data Processor when we process personal data on behalf of our customers during security scans. In this capacity:

We process data only according to your documented instructions
We implement appropriate security measures
We assist you in responding to data subject requests
We notify you of any data breaches without undue delay
We delete or return personal data upon termination
We provide information necessary for compliance audits

When acting as a Data Processor, we enter into a Data Processing Agreement (DPA) with you as the Data Controller.

4. Personal Data We Process

4.1 Categories of Personal Data

Category	Examples	Purpose
Identity Data	Name, username, job title	Account management, personalization
Contact Data	Email address, phone number, company address	Communication, support
Technical Data	IP address, browser type, device info	Security, analytics, troubleshooting
Usage Data	Features used, pages visited, actions taken	Service improvement, analytics
Financial Data	Payment card details, billing address	Payment processing
Scan Data	Target URLs, findings, evidence	Providing security testing services

4.2 Special Categories of Data

We do not intentionally collect special categories of personal data (sensitive data) such as:

Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health data
Sexual orientation

If you include such data in your scan targets, you are responsible for ensuring appropriate legal basis and safeguards.

5. Legal Bases for Processing

We process personal data under the following legal bases as defined by GDPR Article 6:

5.1 Contract Performance (Article 6(1)(b))

Processing necessary for the performance of a contract with you:

Creating and managing your account
Providing our security testing services
Processing payments
Providing customer support
Generating reports and findings

5.2 Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate interests, where not overridden by your rights:

Fraud prevention and security
Service improvement and analytics
Bug fixes and troubleshooting
Protecting our legal rights
Business communications with existing customers

We conduct Legitimate Interest Assessments (LIAs) to balance our interests against your rights.

5.3 Consent (Article 6(1)(a))

Processing based on your freely given consent:

Marketing emails and newsletters
Non-essential cookies and tracking
Testimonials and case studies
Optional data sharing with partners

You can withdraw consent at any time without affecting the lawfulness of prior processing.

5.4 Legal Obligation (Article 6(1)(c))

Processing required to comply with legal obligations:

Tax and accounting requirements
Responding to lawful requests from authorities
Maintaining records as required by law

6. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

Right of Access

Article 15

You have the right to obtain confirmation of whether we process your personal data and to access that data along with information about how it is processed.

Right to Rectification

Article 16

You have the right to request correction of inaccurate personal data and completion of incomplete data without undue delay.

Right to Erasure

Article 17 ("Right to be Forgotten")

You have the right to request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or when you withdraw consent.

Right to Restriction

Article 18

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

Right to Data Portability

Article 20

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object

Article 21

You have the right to object to processing based on legitimate interests or for direct marketing purposes at any time.

Right Regarding Automated Decisions

Article 22

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

Right to Withdraw Consent

Article 7(3)

Where processing is based on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

7. How to Exercise Your Rights

7.1 Submitting a Request

You can exercise your GDPR rights through any of the following methods:

Self-Service (Account Settings)
Access, export, or delete your data directly through your account at Settings > Privacy > Data Rights

Email Our DPO
[email protected]

Online Form
Submit a request at negevsecure.com/data-rights

Postal Mail
Data Protection Officer
Redcliff Technologies LLC
1209 Mountain Road PL NE STE R
Albuquerque, NM 87110

7.2 Verification

To protect your privacy, we may need to verify your identity before processing your request. This may include:

Confirming your email address
Asking security questions
Requesting additional documentation for sensitive requests

7.3 Response Timeline

We will acknowledge your request within 72 hours
We will respond to your request within 30 days
Complex requests may be extended by up to 60 additional days (we will notify you)
Requests are free of charge unless manifestly unfounded or excessive

8. Data Protection Measures

We implement comprehensive technical and organizational measures to protect personal data as required by GDPR Article 32:

8.1 Technical Measures

Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
Pseudonymization: Where possible, we separate identifying information from other data
Access Controls: Role-based access control (RBAC) and principle of least privilege
Authentication: Multi-factor authentication (MFA) required for all accounts
Monitoring: 24/7 security monitoring, intrusion detection, and logging
Backups: Encrypted backups with tested restoration procedures
Network Security: Firewalls, network segmentation, and DDoS protection

8.2 Organizational Measures

Data Protection Policies: Comprehensive policies governing data handling
Employee Training: Regular GDPR and security awareness training
Confidentiality: All employees sign confidentiality agreements
Background Checks: Security screening for employees with data access
Vendor Management: Due diligence and DPAs with all sub-processors
Incident Response: Documented procedures for security incidents
Regular Audits: Internal and external security audits

8.3 Privacy by Design & Default

We implement privacy by design and by default (Article 25) by:

Considering data protection from the start of new projects
Minimizing data collection to what is strictly necessary
Setting privacy-friendly defaults
Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing

9. International Data Transfers

When we transfer personal data outside the EEA, UK, or Switzerland, we ensure appropriate safeguards are in place as required by GDPR Chapter V:

9.1 Transfer Mechanisms

Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms
Adequacy Decisions: Transfers to countries recognized as providing adequate protection
Binding Corporate Rules: For intra-group transfers
Supplementary Measures: Additional technical and organizational safeguards

9.2 Sub-processors

Our primary sub-processors and their locations:

Provider	Location	Purpose	Transfer Mechanism
Amazon Web Services	EU (Frankfurt), US	Cloud infrastructure	SCCs, DPA
Stripe	US	Payment processing	SCCs, DPA
Brevo (Sendinblue)	EU (France)	Email services	DPA
Intercom	US, EU	Customer support	SCCs, DPA

A complete list of sub-processors is available upon request.

10. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, in accordance with GDPR Article 5(1)(e):

Data Category	Retention Period	Legal Basis
Account data	Duration of account + 7 years	Contract, legal obligations
Scan data & findings	Per subscription plan (30-365 days)	Contract
Billing records	7 years	Legal obligation (tax)
Support tickets	3 years after resolution	Legitimate interests
Marketing consent	Until withdrawn	Consent
Server logs	90 days	Legitimate interests

After the retention period, personal data is securely deleted or anonymized.

11. Data Breach Procedures

We have implemented procedures to detect, report, and investigate personal data breaches as required by GDPR Articles 33-34:

11.1 Detection & Assessment

24/7 security monitoring for breach indicators
Immediate assessment of breach severity and impact
Documentation of all suspected breaches

11.2 Notification to Supervisory Authority

If a breach is likely to result in a risk to individuals' rights and freedoms:

We notify the relevant supervisory authority within 72 hours
Notification includes nature of breach, categories of data, and remedial measures

11.3 Notification to Data Subjects

If a breach is likely to result in a high risk to individuals' rights and freedoms:

We notify affected individuals without undue delay
Notification includes clear description and recommended actions

11.4 Notification to Customers (Processor Role)

When acting as a Data Processor, we notify you as the Data Controller of any breach affecting your data without undue delay, enabling you to meet your notification obligations.

12. Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection strategy and ensuring compliance with GDPR.

12.1 DPO Contact Information

Data Protection Officer
Redcliff Technologies LLC
Email: [email protected]
Phone: +1 (866) 218-2196

12.2 DPO Responsibilities

Informing and advising on GDPR compliance
Monitoring compliance with data protection policies
Cooperating with supervisory authorities
Acting as point of contact for data subject requests
Conducting Data Protection Impact Assessments

13. Sub-processors

We use the following categories of sub-processors to help deliver our services:

Cloud Infrastructure: Hosting and data storage
Payment Processing: Secure payment handling
Email Services: Transactional and marketing emails
Analytics: Service improvement (anonymized where possible)
Customer Support: Help desk and communication tools

All sub-processors are bound by Data Processing Agreements and are required to maintain appropriate security measures. You can request a complete list of sub-processors by contacting our DPO.

14. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA), we provide a comprehensive agreement that covers:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data processed
Categories of data subjects
Technical and organizational measures
Sub-processor requirements
Assistance with data subject requests
Audit rights

To request a DPA, please contact [email protected] or visit our DPA page.

15. Complaints & Supervisory Authority

15.1 Contact Us First

If you have concerns about our data processing practices, we encourage you to contact us first. We are committed to resolving any issues directly.

15.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

15.3 Key Supervisory Authorities

Ireland: Data Protection Commission (DPC) - dataprotection.ie
United Kingdom: Information Commissioner's Office (ICO) - ico.org.uk
Germany: Federal Commissioner for Data Protection - bfdi.bund.de
France: CNIL - cnil.fr

A full list of EU supervisory authorities is available on the EDPB website.

16. Contact Information

For any questions, concerns, or requests related to GDPR or data protection, please contact us:

Data Protection Officer
[email protected]

Privacy Team
[email protected]

Redcliff Technologies LLC
1209 Mountain Road PL NE STE R
Albuquerque, NM 87110
United States
+1 (866) 218-2196

EU Representative
NegevSecure EU Representative
[EU Address]
[email protected]