GDPR Article 30

Records of Processing Activities

A structured record of all personal data processing activities conducted by Find The Breach LLC, as required by GDPR Article 30.

Last Updated: February 23, 2026

1 Data Controller Details

Organization: Find The Breach LLC
Address: Bothell, WA 98012, United States
Data Protection Contact: privacy@findthebreach.com
Legal Contact: legal@findthebreach.com

2 Processing Activities

Processing Activity Purpose Legal Basis Data Categories Recipients Retention Transfer Mechanism
Account Registration & Authentication Provide access to scanning platform Art. 6(1)(b) — Contract performance Email, hashed password, name, company, MFA secrets (encrypted) Hetzner (hosting), Cloudflare (CDN/WAF) Account lifetime + 30 days EU-US DPF, SCCs
Vulnerability Scanning Execute security scans on authorized targets Art. 6(1)(b) — Contract performance Target URLs/IPs, scan results, vulnerability findings, HTTP responses Hetzner (hosting), NVD API (CVE enrichment) 90 days (configurable) EU-US DPF
Vulnerability Reports & Evidence Generate downloadable compliance and security reports Art. 6(1)(b) — Contract performance Scan findings, severity scores, remediation guidance, evidence data Hetzner (hosting) 90 days N/A (EU-hosted)
Payment Processing Process subscription payments Art. 6(1)(b) — Contract performance Billing name, email, payment method (tokenized by Stripe) Stripe (PCI DSS Level 1) 7 years (tax/legal) EU-US DPF, SCCs
Transactional Email Send account notifications, scan alerts, reports Art. 6(1)(b) — Contract performance Email address, notification content Email provider (SMTP) 30 days (logs) SCCs
Activity Logging & Audit Trail Security monitoring, compliance audit trail Art. 6(1)(f) — Legitimate interest (security) User ID, action type, IP address, timestamp, request details Hetzner (hosting) 1 year N/A (EU-hosted)
CVE & Threat Intelligence Enrichment Enrich findings with CVE, EPSS, CISA KEV data Art. 6(1)(b) — Contract performance CVE identifiers, CVSS scores (no personal data) NVD (NIST), CISA, FIRST.org 30 days (cache) Public data sources
AI Security Copilot AI-assisted vulnerability analysis and remediation guidance Art. 6(1)(a) — Consent (opt-in feature) Scan context, vulnerability descriptions (anonymized before processing) LLM provider (configurable, no PII sent) Session only (not persisted) SCCs / DPF per provider
Webhook & Integration Delivery Deliver scan results to user-configured endpoints Art. 6(1)(b) — Contract performance Scan results, webhook URLs, delivery status User-specified endpoints (Slack, etc.) 30 days (delivery logs) Per user configuration

3 Technical & Organizational Measures (Art. 32)

Encryption

  • AES-256-GCM for sensitive data at rest (TOTP secrets)
  • TLS 1.2+ for all data in transit
  • PBKDF2-HMAC-SHA256 (200K iterations) for key derivation
  • Bcrypt password hashing

Access Control

  • Role-based access control (admin/client)
  • MFA/TOTP for admin accounts
  • API key scoping (read/write/scan)
  • Account lockout after 5 failed attempts

Monitoring

  • Comprehensive activity logging
  • Rate limiting on all endpoints
  • Security headers (HSTS, CSP, X-Frame-Options)
  • Automated data retention enforcement

Infrastructure

  • Docker containerized deployment
  • Cloudflare WAF and DDoS protection
  • PostgreSQL with connection pooling
  • Regular security scanning of own infrastructure

4 Data Subject Rights

Individuals may exercise their rights under GDPR Articles 15-22 by contacting privacy@findthebreach.com. We respond within 30 days.

Art. 15 — Right of Access
Art. 16 — Right to Rectification
Art. 17 — Right to Erasure
Art. 18 — Right to Restrict Processing
Art. 20 — Right to Data Portability
Art. 21 — Right to Object

5 International Transfers

Where personal data is transferred outside the EEA/UK, we rely on the following mechanisms:

  • EU-US Data Privacy Framework (DPF) — For transfers to US-certified organizations
  • Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914

Transfer Impact Assessments. We conduct Transfer Impact Assessments (TIAs) for all international transfers in accordance with EDPB Recommendations 01/2020, evaluating the laws of destination countries and supplementary measures needed. TIA documentation is available to Enterprise customers upon request.

Related Documents

🔒 Privacy Policy

Full privacy notice

🇪🇺 GDPR Compliance

GDPR-specific practices

📋 Data Processing Agreement

Controller/Processor terms

🛡️ Trust Center

Security practices overview

🚨 Incident Response Plan

Breach notification procedures

⚖️ Legal Center

All legal documents