GDPR Compliance

We process personal data only where we have a valid legal basis to do so. The legal bases upon which we rely include:

Under the GDPR, you have the following rights with respect to your personal data:

• Right of Access (Article 15): You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data and receive information about the processing.
• Right to Rectification (Article 16): You have the right to have inaccurate personal data corrected and incomplete personal data completed.
• Right to Erasure (Article 17): You have the right to request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for its original purpose.
• Right to Restriction (Article 18): You have the right to request the restriction of processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller.
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
• Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.

To exercise any of these rights, please submit a request to privacy@findthebreach.com. We will respond to your request within thirty (30) days. We may request verification of your identity before processing your request.

Find The Breach has appointed a Data Protection Officer ("DPO") who is responsible for overseeing our data protection strategy and ensuring compliance with the GDPR. You may contact the DPO for any questions or concerns regarding our processing of your personal data or the exercise of your data subject rights:

As Find The Breach is established outside the European Union, we have designated an EU representative in accordance with Article 27 of the GDPR. Our EU representative can be contacted regarding any matters relating to the processing of personal data of individuals in the EU:

Our EU Representative office in Ireland operates with independent authority to receive and respond to inquiries from EU data subjects and supervisory authorities on behalf of Find The Breach LLC. The Representative maintains independent records of processing activities as required by Article 30 GDPR and is empowered to engage directly with the Irish Data Protection Commission and other EU supervisory authorities without requiring prior approval from Find The Breach LLC headquarters. The Representative has been provided with all information necessary to cooperate with supervisory authorities regarding the processing activities carried out by Find The Breach.

Our designated EU Representative under Article 27 GDPR serves as the point of contact within the European Union for all GDPR-related inquiries from EU data subjects and supervisory authorities. The EU Representative is authorized to receive communications on behalf of Find The Breach regarding data protection matters. All GDPR inquiries should be directed to euprivacy@findthebreach.com. For general data protection matters, you may also reach our Data Protection Officer at privacy@findthebreach.com.

Find The Breach is based in the United States. When personal data is transferred from the European Economic Area ("EEA"), the United Kingdom, or Switzerland to the United States or other countries that have not received an adequacy decision, we ensure appropriate safeguards are in place:

• EU-U.S. Data Privacy Framework: Find The Breach participates in the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework.
• EU-U.S. Data Privacy Framework (DPF) Adequacy Decision. The European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework on July 10, 2023 (Commission Implementing Decision (EU) 2023/1795), which was reaffirmed following the first annual review in October 2024. Find The Breach relies on Standard Contractual Clauses (SCCs) as its primary transfer mechanism, supplemented by Transfer Impact Assessments (TIAs) and additional safeguards as documented in our Data Processing Agreement. We are actively evaluating self-certification under the EU-U.S. DPF to provide an additional legal basis for transatlantic data transfers. For transfers from the UK, Find The Breach relies on the UK Extension to the EU-U.S. DPF or the UK International Data Transfer Agreement (IDTA), as applicable.
• Standard Contractual Clauses: We enter into EU Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Implementing Decision (EU) 2021/914) with our customers and sub-processors as an additional transfer mechanism.
• Transfer Impact Assessments: We conduct transfer impact assessments to evaluate the level of data protection in the destination country and implement supplementary measures where necessary.
• Data Minimization: We limit cross-border transfers to the minimum personal data necessary for the purposes of processing.
• UK Data Protection and Digital Information Act 2024: Find The Breach's processing of UK data subjects' personal data complies with the UK GDPR as supplemented by the Data Protection and Digital Information Act 2024 (DPDI Act). We monitor DPDI Act implementation guidance from the UK Information Commissioner's Office (ICO) and will update our practices as implementing regulations come into force. The DPDI Act introduces recognized legitimate interests, updated research provisions, and reformed cookie rules that may affect how we process UK data.

In accordance with Article 25 of the GDPR, Find The Breach integrates data protection principles into the design and operation of our services from the outset:

• Data Minimization: We collect and process only the personal data that is strictly necessary for the provision of our services.
• Purpose Limitation: Personal data is collected for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes.
• Storage Limitation: Personal data is retained only for as long as necessary for the purposes for which it was collected, in accordance with our data retention policy.
• Security by Default: Our systems are configured with the highest level of privacy and security settings by default. Users do not need to take additional steps to protect their data.
• Pseudonymization and Encryption: Where technically feasible, we employ pseudonymization and encryption to reduce the risk to data subjects.
• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication.

In accordance with Article 35 of the GDPR, Find The Breach conducts Data Protection Impact Assessments ("DPIAs") for processing activities that are likely to result in a high risk to the rights and freedoms of data subjects. Our DPIA process includes:

• A systematic description of the processing operations, their purposes, and the legitimate interest of the controller where applicable
• An assessment of the necessity and proportionality of the processing in relation to the purposes
• An assessment of the risks to the rights and freedoms of data subjects
• The measures envisaged to address the risks, including safeguards, security measures, and mechanisms to ensure the protection of personal data

DPIAs are reviewed and updated on a regular basis and whenever there are significant changes to the processing operations. Where a DPIA indicates that the processing would result in a high risk in the absence of measures taken to mitigate the risk, we consult with the relevant supervisory authority prior to processing.

View our full Data Protection Impact Assessment →

If you are located in the European Economic Area or the United Kingdom, you have the right to lodge a complaint with a supervisory authority if you believe that our processing of your personal data violates the GDPR. You may lodge a complaint with:

• The supervisory authority of the EU Member State in which you reside, work, or in which the alleged infringement took place
• For UK residents, the Information Commissioner's Office (ICO)

We encourage you to contact us first at privacy@findthebreach.com so that we may attempt to resolve your concern before you file a complaint with the supervisory authority.

For questions about GDPR compliance or to exercise your data protection rights, please contact: