Data Protection Policy

Introduction

Netsparker is a Data Controller – we acquire, store, manage and use personal information. As such, it is our legal and ethical responsibility to ensure that this data is handled in the correct way. As a company based in the UK, this means we must be compliant with the European Union (EU) General Data Protection Regulations (GDPR).

Netsparker is also a Data Processor – we input and deal with data at various levels and have direct legal responsibilities, such as the obligation to process it securely (Privacy by Design) and stop processing it if requested.

For the purposes of this Data Protection Policy, here is our definition of relevant terms:

  • Personal data – any information relating to an identified or identifiable natural person
  • Data subject – one who can be identified, directly or indirectly, in particular by reference to an any identifying information, of any degree or kind
  • Data processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means

Table of Content

  1. Scope
  2. Data Protection Principles
    1. Principle 1: Lawfulness, Fairness and Transparency
    2. Principle 2: Purpose Limitation
    3. Principle 3: Data Minimisation
    4. Principle 4: Accuracy
    5. Principle 5: Storage Limitation
    6. Principle 6: Integrity and Confidentiality
    7. Principle 7: Accountability
  3. Data Processing Activities
    1. Data Collection
    2. Data Processing
    3. Data Protection
      1. Encryption and Access Right
      2. Data Transfer
      3. Data Breach Notification
  4. Individual Data Rights 
    1. The right to be informed
    2. The right of access
    3. The right to rectification
    4. The right to erasure
    5. The right to restrict processing
    6. The right to data portability
    7. The right to object
    8. Rights in relation to automated decision making and profiling
  5. Contact Us

Scope

We have written a white paper outlining our understanding of these regulations (‘Whitepaper: The Road to GDPR Compliance‘). This Data Protection Policy outlines and affirms Invicti’s compliance with GDPR obligations. It does so by covering these three areas:

  • Data Protection Principles
  • Data Processing Activities
  • Individual Data Rights

Data Protection Principles

We have updated all of our policies to comply with the following principles. We closely follow legal updates to keep our service running.

Principle 1: Lawfulness, Fairness and Transparency

We are compliant with our obligation to ensure that all personal data is processed lawfully, fairly and in a transparent manner in relation to each data subject.

Principle 2: Purpose Limitation

We are compliant with our obligation to ensure that all personal data collected by Netsparker is done so for specified, explicit and legitimate purposes only, and is never further processed in a manner that is incompatible with those purposes.

Principle 3: Data Minimisation

We are compliant with our obligation to ensure that all personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.    

Principle 4: Accuracy

We are compliant with our obligation to ensure that all personal data is accurate and kept up to date.

Principle 5: Storage Limitation

We are compliant with our obligation to ensure that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which it is processed.

Principle 6: Integrity and Confidentiality

We are compliant with our obligation to ensure that personal data is processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

Principle 7: Accountability

We are compliant with our obligation to acknowledge, as the data controller, that Netsparker is responsible for, and be able to demonstrate, compliance.

Data Processing Activities

Data Collection

Depending upon your use of Netsparker sites and software, we may collect some or all of the personal and non-personal data that you input. When collecting this data, we keep the resources you have used to contact us, along with all your subsequent data, in accordance with the principles of confidentiality, integrity and availability.

We collect the minimal amount of data possible to maximize your privacy, while allowing us to provide you with the best possible service and customer experience. This data will never be disclosed to third parties, unless we are obliged by the law to do so. All personal data is stored securely. Netsparker has put in place suitable physical, electronic and managerial procedures to safeguard and secure all personal information we collected by this Website.

Data Processing

We have reviewed the purposes of our processing activities, and selected the most appropriate lawful basis (or bases) for each activity. The nature of the personal data we collect from customers, and the processing we perform, is limited in scope to the services we provide. Wherever you are required to submit data, you will be given options to restrict our use of that information.

Please review our Privacy Policy for further details.

Data Protection

We ensure appropriate safeguards are used pertaining to all our processing activities. These include:

Encryption and Access Right

We ensure that any data processor we use to do work on Invicti’s behalf also implements appropriate technical and organizational measures. This includes the use of encryption and/or pseudonymization where it is appropriate to do so. Netsparker closely follows up with all the latest technology used to keep data safe, and adheres to the latest industry standards regarding data security as they arise.

We have identified responsible people within the company and have restricted access to personal data. We provide granular access to all databases, restrict irrelevant usage, and follow processing actions. This ensures that everyone within or employed by Netsparker only has access to the data that is strictly appropriate to allow them to proceed with their tasks.

Data Transfer

Netsparker may transfer personal data to internal or third party recipients located in other countries, but will only do so where those countries are recognized as having an adequate level of legal protection for the rights and freedoms of the relevant data subjects. This is particularly the case with non-EU countries, outside the scope of the GDPR.

Netsparker may employ the services of third parties for limited purposes. However, the providers of such services do not have access to certain personal data provided by users of Netsparker products, and the use of such data for purposes outside their remit is strictly prohibited.

Data Breach Notification

Netsparker has both organizational and technical measures in place to prevent a breach of personal data. But if a breach occurs, we adhere to the latest data protection requirements, including the obligation to report it to the appropriate supervisory authority within 72 hours, and report it to any affected data subjects, once we have become aware of its occurrence, without undue delay. We have procedures in place to detect, escalate, and communicate data breaches without undue delay, should any breach of personal data occur.

Individual Data Rights

Netsparker acknowledges and upholds the data protection rights granted to data subjects in GDPR legislation. These rights include:

The right to be informed

We are compliant with the right of data subjects to obtain from Netsparker information on Invicti’s identity, contact details, representatives, data protection officer, and the legal basis for processing your personal information.

The right of access

We are compliant with the right of data subjects to obtain from Netsparker confirmation as to whether we are processing personal data about you, as well as the purpose, categories, recipients, time period and possible transfer of such information.

The right to rectification

We are compliant with the right of data subjects to update, correct and complete your own personal data upon request.

The right to erasure

We are compliant with the right of data subjects to delete all personal data upon request, ensuring your ‘right to be forgotten’.

The right to restrict processing

We are compliant with the right of data subjects to stop the processing of your personal data upon request, if you believe it is inaccurate, objectionable or for other legal reasons.

The right to data portability

We are compliant with the right of data subjects to request and receive a copy of all the data you have previously provided to Netsparker.

The right to object

We are compliant with the right of data subjects to object to Invicti’s processing of your personal information, whether in general, so that we can no longer possess any of your information, or for a specific purpose, such as marketing or statistics.

Rights in relation to automated decision making and profiling

We are compliant with the right of data subjects to not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects that may significantly affect you.

Data Processing Addendum

If and to the extent that Data Protection Law applies to the Processing of Personal Data (as each of those terms are defined in the Data Processing Addendum), then the Data Processing Addendum (presently found at the following URL: https://www.invicti.com/legal/dpa/) shall form part of this Agreement.

Contact Us

You can read more about your individual rights from the Information Commissioner’s Office website.

And you can contact Netsparker to speak with us about how to use your rights or about any of these Data Protection issues by emailing us at privacy@invicti.com.

For general enquiries about Netsparker, email us at contact@invicti.com.