GDPR Compliance

Last updated: January 3, 2026

NegevSecure is committed to protecting the privacy and rights of individuals in accordance with the General Data Protection Regulation (GDPR). This page explains how we comply with GDPR requirements and describes the rights available to data subjects in the European Economic Area (EEA).

1. Our Role Under GDPR

1.1 As a Data Controller

NegevSecure acts as a Data Controller when we collect and process personal data for our own purposes, such as:

  • Account registration and management
  • Customer support and communications
  • Billing and payment processing
  • Marketing (with consent)
  • Website analytics

1.2 As a Data Processor

NegevSecure acts as a Data Processor when we process personal data on behalf of our customers during security scans. In this capacity, we:

  • Process data only according to customer instructions
  • Maintain appropriate security measures
  • Assist customers with data subject requests
  • Delete or return data upon termination

2. Legal Bases for Processing

We process personal data under the following legal bases:

  • Contract Performance: Processing necessary to provide our Services
  • Legitimate Interests: Processing for fraud prevention, security, and service improvement
  • Consent: Marketing communications and optional features
  • Legal Obligation: Compliance with applicable laws

3. Your Rights Under GDPR

As a data subject in the EEA, you have the following rights:

3.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and to access that data along with information about how it is processed.

3.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete data.

3.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data under certain circumstances, including when the data is no longer necessary or when you withdraw consent.

3.4 Right to Restriction (Article 18)

You have the right to request restriction of processing in certain circumstances, such as when you contest the accuracy of the data.

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

3.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes.

3.7 Right Not to be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, you may:

  • Email our Data Protection Officer at [email protected]
  • Use the data export and deletion features in your account settings
  • Submit a written request to our postal address

We will respond to your request within 30 days. We may request additional information to verify your identity before processing your request.

5. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions for countries with equivalent data protection
  • Binding Corporate Rules for intra-group transfers

6. Data Protection Measures

We implement comprehensive technical and organizational measures to protect personal data:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication (including MFA)
  • Regular security assessments and audits
  • Employee training on data protection
  • Incident response procedures
  • Data minimization and purpose limitation

7. Data Retention

We retain personal data only as long as necessary for the purposes for which it was collected:

  • Account data: Duration of the account plus 7 years for legal requirements
  • Scan data: According to your subscription plan's retention period
  • Support tickets: 3 years after resolution
  • Marketing data: Until consent is withdrawn

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours
  • Notify affected individuals without undue delay when required
  • Document the breach and remediation measures

9. Data Protection Officer

Our Data Protection Officer can be contacted at:

  • Email: [email protected]
  • Address: Data Protection Officer, NegevSecure, 123 Security Lane, San Francisco, CA 94102

10. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority, particularly in the EU Member State of your residence, place of work, or place of the alleged infringement.

11. Updates to This Notice

We may update this GDPR compliance notice from time to time. We will notify you of significant changes through email or our platform.