Privacy Policy for SecTeer VulnDetect

This policy describes the type of information gathered and processed by SecTeer.

Creating an account and installing SecTeer software implies acceptance of this
Privacy Policy. Links to this privacy policy are provided at account creation,
the website, and user interfaces.

 Active accounts are notified when significant changes are made to the privacy policy.

This policy was last updated on the 22nd of April 2022.

Who is SecTeer?

SecTeer is a privately held limited company incorporated in Denmark.

SecTeer ApS
Njalsgade 76, 4th Floor
DK2300 Copenhagen S
Denmark

Company / VAT number: DK38330462
Phone: +4570707759
Email: contact [at] secteer.com

Management / Director: Michael Zaman
Privacy Officer: Thomas Kristensen

If you feel that something needs to be clarified, then you are most welcome to write to SecTeer via support [at] secteer.com.

Data collected

SecTeer collects the following information for VulnDetect – Personal accounts:

•  Name (optional)
• Email / Username (mandatory)
  
• Password (mandatory)
• Other personal information is not required to use the product, but you may be encouraged to supply this
• IP addresses used to log in and submit data

SecTeer collects the following information for VulnDetect – Corporate accounts:

• Name (optional)
• Email / Username (mandatory for users with access to the web-based user interface)
• Password (mandatory)
• Other personal information is not required to use the product, but you may be encouraged to supply this
• IP addresses used to log in and submit data

The SecTeer VulnDetect products collect the following information from your PC or device:

•  Program file names (NOT data files)
• Metadata of program files, including, but not limited to size, version information, date, hashes, digital signatures, and other header/meta information
• The directory structure, for example the location of program files
• Registry information related to installed software
• Hostname or other unique identifiers to ensure correct correlation in reporting

Products from SecTeer will not intentionally collect data from non-program files; if such data is retrieved, it will be removed as soon as possible.

Your access to your data

You can view all processed data stored by SecTeer via the user interface. Most data is extractable via reports. 

Raw non-personal data

SecTeer does not offer a specific option to download the data in a raw format. Our
format is considered proprietary and incompatible with other solutions.

SecTeer stores the raw file data in a separate database for statistical, analytical and  quality assurance purposes. This data is non-personal metadata based on:

• Executable and executable library files
• Registry information about installed programs, particular hardware, and driver information

Any personal data found by SecTeer in the raw file data will be deleted immediately. Automated processes will ensure that such data will be removed from subsequent scans.

Erasure and right to be forgotten

Deleting an account is effective immediately and is irrevocable. Please contact SecTeer at support [at] secteer.com.

Backup data is retained for 8 days before it is automatically purged and overwritten. SecTeer will NOT restore this data, even upon direct request from the account owner. Backups are only used in case of general failures/emergencies.

The raw file data is anonymized, as the unique pseudonymized string is deleted together with the user data. You can request to have this data deleted; however, this must completed prior to the account being deleted. After the account is deleted, we are not able to identify the owner of the data. Inactive accounts will be automatically deleted after 12 months. You will receive a notification via email for 3 months and 1 month before the automated deletion.

Rectification

Any data stored by SecTeer that is found to be inaccurate can be updated through the user interface.

If you believe there is incorrect information based on your inspection results, then you should raise a support case by providing feedback on the console or by sending an email to support [at] secteer.com. However, this is not considered rectifiable data under the GDPR and will only be updated at SecTeer’s discretion.

Jurisdiction

SecTeer is based in Denmark, which is a member of the European Union. Our data processing policies are aligned with the European GDPR.

All data is stored at data center facilities in Ireland, Germany, Finland, The Netherlands and Denmark. SecTeer intends to abide by European data protection laws at any given time and will adapt to future changes.

Data at rest

All user data is stored on encrypted disks.

Offline data, for example backups, are encrypted before leaving active storage and is transmitted using encrypted communication to a device that is also encrypted.

Access to storage and encryption keys is highly restricted.

Backups with personally identifiable information are only retained for 8 days.

Log data is stored on active systems for 30 days and is further retained in non-active backup archives for 3 months.

Data pertaining to orders, email communication, and support cases will be retained for more extended periods. Information relevant for accounting and tax will be archived for approximately 5 years in accordance with the applicable Danish law.

Access to data by third-parties

SecTeer does not share data with any third-parties unless explicitly stated prior to or during collection.

SecTeer will adhere to court orders issued by a Danish Court. If we receive court orders from other jurisdictions, we will consult legal counsel to assess if we need to comply.

SecTeer utilizes third-party data processors, all of whom comply with GDPR. When possible, we will store and process data in the EU. In the event that it is not possible to control the geographic location of data, we will choose a provider who is GDPR and/or EU-US Privacy Shield compliant.

Third-party processors used by SecTeer:

DigitalOcean: Installers and packages are stored at DigitalOcean, only some log data related to HTTPS requests for this content are stored temporarily on the hosts:

https://www.digitalocean.com/legal/data-processing-agreement/

Hetzner: The main services are running on physical instances managed by SecTeer. The data centre facilities and Internet uplink are provided by Hetzner, Hetzner only has access to IP traffic / encrypted data in transit. Data at rest are stored on fully encrypted local storage:

https://www.hetzner.com/pdf/en/FOX_Certificate.pdf

Data Processing & Audit documents:

https://secteer.com/dataprocessing/Hetzner

https://secteer.com/dataprocessing/Hetzner/Audit

Hosts with live data are primarily located in Germany, hot backups are primarily located in Finland.

Microsoft: We utilize Microsoft 365 for email:

https://www.microsoft.com/en-us/TrustCenter/CloudServices/office365/GDPR

ZOHO CRM: Our CRM and support systems are based on ZOHO:

https://www.zoho.eu/gdpr.html

Cookies, logging and tracking

SecTeer analyses user behavior, both on our website and in the SecTeer VulnDetect application, via cookies and logging. Cookies are also used for identifying authenticated users in the SecTeer VulnDetect application.

SecTeer does not currently set any cookies on behalf of third-parties within the SecTeer VulnDetect application.

Disabling cookies may alter the user experience and prevent usage of the SecTeer VulnDetect application. You may, however, choose to delete cookies after each visit/usage of the application. The only consequence of this is that you will be prompted for authentication details on every visit.

SecTeer logs access to all sites and services. The only identifiable information in the log files is an IP address and a pseudonymized part of an authentication token (when you access a service that requires authentication). This is used for statistical, analytical, forensic, and troubleshooting purposes only. These logs are not correlated to customer data using automated methods.

SecTeer does not currently utilize a cloud-based web analytics tool within our solutions; VulnDetect; however, we reserve the right to implement a cloud-based analytics tool if we find one that honors our users and customers right to privacy (for example, doesn’t share data with advertising networks and similar).

Logs may be retained for extended periods of time in the event of a suspected incident. Logs can’t be used to recreate personal identifiable information, except from IP addresses and account/agent tokens.

If a user deletes a profile, then all data that exists (for example, agent tokens) which can correlate the user with any other personal data is also deleted.

Log files are archived for 2 – 8 weeks. They will be reviewed and analyzed in case of a suspected incident as part of our security incident response process. These archives will only be accessed in case of legal issues or for forensic purposes.

Security and Encryption

Data transfer

All data transmitted to and from SecTeer services is encrypted. We follow best
practices for the implementation of HTTPS and TLS on our services and prevent
access to our services using low-grade encryption.

HTTP access is automatically redirected to HTTPS. Our HTTP service does not provide access to anything except the redirection.

Certificates

All certificates used by SecTeer are issued by LetsEncrypt and DigiCert. LetsEncrypt is used for the website and all other web based services, including VulnDetect.org (support forum) and some staging environments. DigiCert is used for signing our executables and scripts.

For more information, please access the following:
https://vulndetect.org/topic/2543/vulndetect-task-scripts-powershell-certificates

If a certificate claiming to be issued for any *.secteer.com site is signed by another party, it should not be trusted. This page and our CAA NS record will be updated in the event that we change provider.

SecTeer also utilizes CAA, HSTS and CT.

Domain names

SecTeer operates exclusively from:

*.secteer.com
*.vulndetect.com

And the support forum:
vulndetect.org

Although SecTeer owns other domains, these are not actively used.

Passwords

All usernames and passwords are hashed BEFORE being sent to SecTeer. This prevents SecTeer from actually knowing your password.

When the hashed username and password is received by SecTeer, it will be hashed again and subsequently used to lookup and authenticate the appropriate account.

NOTE: The above process does not make your account more secure. It does, however, prevent SecTeer from knowing your actual password and make brute force attempts on your account significantly slower.

Regardless of this, we always recommend that you use individual passwords for all online services.

You should also note that the “agent” which is installed on your machine does not know your password. Instead, it uses a token for authentication. This token is a “submit data only” token and thus it can’t be used to read your data, which can only be done by your username and password.

Password reset

If you have lost or forgotten your password, you can only gain access to your account by resetting your password. This requires access to the email address used during
the creation of your account. If you don’t have access to your email you must create a new account. The old account will automatically be deleted if it remains inactive.

Encryption at rest

All user data is stored on encrypted devices to prevent leakage when disposing of old/broken hardware or recycling storage at the cloud provider.

Software

All software used on SecTeer server systems is updated regularly. We intend to test and deploy all security-related updates released by the vendor within a few business days after the public availability of the updates.

Access

Access to user data is on a “need to” basis. All access to data and systems hosting data requires authentication and is logged.

Backups

Backups are encrypted before being retrieved and stored in a separate location. Backups containing user data are usually only retained for 8 days. Other backups are
retained for longer.

Disputes and complaints

If you feel the need to lodge a complaint, you may contact the Supervisory Authority in Denmark; Datatilsynet:

https://www.datatilsynet.dk/
DATATILSYNET
Borgergade 28, 5
1300 København K
Telefon 3319 3200
Fax 3319 3218
Email dt@datatilsynet.dk