Security & Legal FAQ

Yes. You are fully authorized to scan systems, networks, and domains that you own or have explicit written permission to test. By initiating a scan, you confirm that you hold the legal authority to do so.

Our Terms of Service require that every scan target is authorized. Unauthorized scanning of third-party infrastructure is strictly prohibited and may violate computer fraud and abuse laws (e.g., CFAA in the United States, CMA in the United Kingdom).

Only with written authorization. If you are a managed security provider, penetration tester, or consultant, you must obtain documented, written consent from the system owner before scanning. This may take the form of a signed engagement letter, statement of work (SOW), or equivalent authorization document.

FindTheBreach reserves the right to suspend accounts that are found to be scanning unauthorized targets. You are solely responsible for ensuring that all scans comply with applicable laws and contractual obligations.

While FindTheBreach's scanning engines are designed for safe, non-destructive assessment, security scans inherently interact with live systems. In rare cases, vulnerable services may respond unpredictably to probe traffic.

Our liability framework: FindTheBreach is provided "as is" without warranty. We are not liable for any downtime, data loss, or service disruption resulting from authorized scans. Users accept full responsibility for scanning their targets, as outlined in our Terms of Service.

We recommend running initial scans during maintenance windows and starting with lighter scan profiles before escalating to comprehensive assessments.

FindTheBreach reports include timestamped, tamper-evident findings with cryptographic hashes for integrity verification. While our reports are designed to be thorough and accurate, their admissibility as legal evidence depends on the jurisdiction and legal context.

Limitations: We do not guarantee that scan reports will be accepted as evidence in any legal proceeding. For forensic-grade assessments, we recommend engaging a certified digital forensics professional in addition to using our platform. Enterprise customers may request chain-of-custody documentation upon request.

No. Your scan data is never shared with third parties, sold, or used for advertising. Scan results, target information, and vulnerability findings are accessible only to your account and authorized team members.

We use industry-standard encryption (AES-256-GCM authenticated encryption at rest, TLS 1.3 in transit) to protect all data. Our infrastructure is hosted in SOC 2-compliant data centers with strict access controls. For full details, see our Privacy Policy and Data Processing Agreement.

Scan data: Retained for 90 days from the date of the scan. An automated daily retention process permanently deletes expired scan reports, completed scan requests, and resolved vulnerabilities. Administrators can also trigger manual retention enforcement.

Account data: Retained for the lifetime of your account. Upon account deletion, all associated data — including scan history, reports, and personal information — is purged within 30 days.

Enterprise customers may negotiate custom retention periods via their service agreement. You may also manually delete individual scan reports at any time from your dashboard.

Under GDPR Article 17 (Right to Erasure) and equivalent regulations, you have the right to request complete deletion of your account and all associated data.

Self-service: Navigate to Settings → Account → Delete Account in your dashboard. This initiates an irreversible deletion process.

By request: Email privacy@findthebreach.com with the subject line "Account Deletion Request." We will verify your identity and process the request within 30 days.

Deleted data includes: account profile, scan history, reports, API keys, team memberships, and billing records (except where retention is required by law).

Yes. FindTheBreach is fully compliant with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

We provide mechanisms for data access, portability, correction, and deletion as required by these frameworks. Our Data Processing Agreement covers GDPR Article 28 requirements for customers who process EU personal data through our platform.

For CCPA, California residents may exercise their rights by contacting privacy@findthebreach.com. We do not sell personal information.

Yes — as a readiness scanning tool. FindTheBreach can help you identify vulnerabilities and misconfigurations that may affect PCI DSS compliance, including requirements under sections 6.1 (vulnerability identification), 11.2 (vulnerability scanning), and 11.3 (penetration testing).

However, FindTheBreach is not a PCI Approved Scanning Vendor (ASV). For official PCI DSS quarterly external scans, you must use a PCI SSC-approved ASV. Our reports can complement your ASV scans by providing deeper internal vulnerability analysis.

Yes. FindTheBreach supports healthcare organizations in meeting HIPAA Security Rule requirements for regular technical evaluation (§ 164.308(a)(8)) and vulnerability management.

For Enterprise customers, we offer a Business Associate Agreement (BAA) that establishes the required HIPAA safeguards for any Protected Health Information (PHI) that may be incidentally encountered during scans. Contact sales@findthebreach.com to request a BAA.

Current: Our infrastructure is hosted in SOC 2 Type II-compliant data centers. We follow OWASP, NIST CSF, and CIS Controls frameworks in our internal security program.

Roadmap: We are actively pursuing SOC 2 Type II certification for the FindTheBreach platform itself, with an expected completion in 2026. ISO 27001 certification is planned for 2027. Enterprise customers can request our current security questionnaire and penetration test summary by contacting security@findthebreach.com.

Yes. FindTheBreach incorporates AI and machine learning in several areas to enhance the accuracy and usefulness of security assessments:

• Vulnerability prioritization: AI models analyze severity, exploitability, and asset context to rank findings by real-world risk.
• False positive reduction: ML classifiers filter out noise, reducing false positives by up to 70%.
• Remediation guidance: AI-generated, context-aware fix recommendations tailored to your technology stack.
• Executive summaries: Natural language report summaries for non-technical stakeholders.

All AI features are clearly labeled in the interface. Scan engine detections are based on deterministic security tools — AI augments but never replaces the core scanning logic.

We implement multiple layers of security to protect your account and data:

• Multi-factor authentication (MFA): TOTP-based MFA available for all accounts; enforced for Enterprise.
• Encryption: AES-256-GCM authenticated encryption at rest, TLS 1.3 in transit. API keys are hashed with bcrypt. TOTP secrets encrypted with AES-256-GCM.
• Session management: Sessions expire after 24 hours of inactivity. Concurrent session limits are enforced.
• Rate limiting & brute-force protection: Automatic account lockout after repeated failed login attempts.
• Audit logging: All account actions are logged with IP address, timestamp, and user agent.

We recommend enabling MFA and using a strong, unique password. Enterprise customers can configure SSO via SAML 2.0 or OIDC.

We take the security of our platform seriously and welcome responsible disclosure from the security community.

Report vulnerabilities to: security@findthebreach.com or through our Responsible Disclosure Program.

Please include: a detailed description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept code. We ask that you give us reasonable time to investigate and address the issue before public disclosure.

We commit to acknowledging reports within 48 hours and providing status updates within 7 business days. We do not pursue legal action against researchers who act in good faith.

Yes. Our vulnerability scanning covers many of the technical controls required by NIS2 (Directive 2022/2555) and the NIS2 Implementing Regulation (EU 2024/2690), including regular vulnerability assessments, network security testing, and documentation of findings suitable for regulatory audits.

Our scanning capabilities align with the security testing requirements outlined in ENISA’s 2025 Technical Implementation Guidance on cybersecurity risk management measures, which maps penetration testing and vulnerability assessment as recommended practices for NIS2-regulated entities including managed service providers and digital infrastructure operators.

Our compliance mapping feature aligns scan findings with specific NIS2 requirements, and our reports can be used as supporting evidence for NIS2 compliance documentation.

Important: Using Find The Breach supports but does not guarantee NIS2 compliance. NIS2 compliance requires a comprehensive organizational approach beyond technical scanning.

Yes. Find The Breach supports financial institutions subject to DORA (Regulation EU 2022/2554), which became applicable on January 17, 2025. DORA mandates that financial entities and their critical ICT third-party providers implement comprehensive digital operational resilience testing.

Our platform helps with DORA compliance through:

• Article 25 (ICT Risk Assessment): Regular vulnerability scanning and attack surface monitoring
• Article 26 (Testing Requirements): Automated penetration testing with evidence-backed findings suitable for DORA audit trails
• Article 27 (TLPT): Threat-Led Penetration Testing support with structured evidence chains and proof-of-exploit documentation
• Article 17 (Incident Classification): Our DPA includes DORA's 4-hour incident classification and 24-hour preliminary notification timelines

Our compliance reports map scan findings to DORA requirements, and our Data Processing Agreement (DPA) includes DORA-specific contractual provisions for ICT third-party risk management (Article 28).

Important: DORA compliance requires Threat-Led Penetration Testing (TLPT) for significant financial entities — our automated scanning can supplement but not fully replace the human-led TLPT requirement under Article 26(8). We recommend combining our platform with a qualified TLPT provider.

The EU Cyber Resilience Act (Regulation 2024/2847) establishes cybersecurity requirements for products with digital elements. While the CRA primarily targets hardware and software products placed on the EU market, it has implications for SaaS platforms that integrate with or test such products.

How Find The Breach helps with CRA compliance:

• Vulnerability identification: Our scanning detects vulnerabilities that CRA requires manufacturers to address (Art. 13 — vulnerability handling requirements)
• SBOM validation: Our open source license tracking supports Software Bill of Materials (SBOM) transparency requirements under CRA Art. 13(5)
• Continuous monitoring: CRA requires ongoing vulnerability monitoring — our scheduled scanning and attack surface monitoring supports this obligation
• Incident reporting support: CRA requires reporting of actively exploited vulnerabilities within 24 hours to ENISA — our scan results can help identify such vulnerabilities early

CRA Timeline: Reporting obligations apply from September 2026; full compliance required by December 2027. Find The Breach will continue enhancing our platform to help customers meet these evolving requirements.

Disclaimer: Find The Breach is a security scanning tool, not a CRA compliance certification body. Consult qualified legal counsel for specific CRA compliance obligations.

The revised EU Cybersecurity Act (CSA2), proposed in January 2026, expands the European Cybersecurity Certification Framework (ECCF) to cover managed security services including penetration testing, security audits, incident response, and consultancy. Under CSA2, ENISA will develop certification schemes that may become mandatory for service providers operating in the EU market.

FindTheBreach is actively monitoring CSA2 developments and will pursue applicable certifications as the framework is finalized. Our current security practices align with the principles underlying the proposed regulation, including standardized testing methodologies, supply chain transparency, and documented risk management.

CSA2 is currently at the proposal stage. FindTheBreach will update this guidance as the regulation progresses through the EU legislative process.

Find The Breach reports provide evidence of vulnerability assessment activities suitable for inclusion in compliance documentation. Our compliance report generator maps findings to specific framework controls (PCI DSS, SOC 2, ISO 27001, HIPAA).

However: Our automated scans are not a substitute for certified manual penetration tests required by some frameworks (e.g., PCI DSS Requirement 11.4 requires an Approved Scanning Vendor for external scans). We recommend using our reports alongside qualified assessor-led testing for formal compliance purposes.

For PCI DSS specifically, you should engage a PCI-certified QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor) for the scans that your acquiring bank requires.

In the event of business discontinuation, we will:

• Provide at least 90 days advance notice to all active customers
• Enable full data export during the notice period (via our existing data export API)
• Securely destroy all customer data per NIST SP 800-88 within 30 days after the notice period
• Provide certificates of destruction upon request

This commitment is documented in our Terms of Service and applies to all subscription tiers.

Our AI Security Copilot analyzes scan results to provide contextual recommendations, and our Threat Intelligence Engine uses CVE data to compute Real Risk Scores. Here are the key data handling commitments:

• No training on your data: Your scan data is NEVER used to train machine learning models
• Self-hosted AI processing: When using self-hosted AI providers, all processing occurs within your infrastructure
• Minimal external calls: Threat intelligence queries to NVD, EPSS, and CISA KEV use only CVE identifiers — no target-specific data is shared
• Configurable AI providers: You choose which AI provider to use (or none) for the Security Copilot feature

See our Privacy Policy for full details on automated processing.

Find The Breach operates a multi-tenant architecture with strict logical data isolation:

• Database-Level Isolation: Each customer's scan data, vulnerability findings, and account information is logically separated using tenant-scoped access controls. All database queries are parameterized and scoped to the authenticated user ID.
• Network Segmentation: Scan execution environments are ephemeral and isolated per scan job. No scan execution environment has access to another customer's data or targets.
• Encryption at Rest: All customer data is encrypted at rest using AES-256-GCM encryption with key management through our cryptographic infrastructure.
• Access Controls: Role-based access controls (RBAC) enforce tenant boundaries at the application layer. All API requests are authenticated and authorized against the requesting user's scope.
• Audit Logging: All data access is logged with user context for forensic analysis and compliance auditing.

Enterprise customers requiring dedicated infrastructure or physical data isolation should contact sales@findthebreach.com for custom deployment options.