Data Privacy Notice
VulDB (part of pyxyp inc.) takes protection of personal data very seriously. We follow national and international laws, regulatory obligations, guidelines, and best practices to guarantee the highest level of security and transparency of personal data for our clients. Our process was reviewed by a privacy law study at Princeton University and Radboud University. This document summarizes our efforts and answers the following questions:
- Why and how is VulDB collecting and storing personal data
- What is the lawful basis on which personal data is processed
- What are your rights and our obligations related to this data handling
Personal Data Collecting and Processing
Types of Personal Data
VulDB (part of pyxyp inc.) is, depending on the client relationship (if any), collecting and processing this kind of personal data:
- Any access to our web services including data submitted by your web browser like timestamp, IP address, hostname, request language, user-agent, operating system and requested resource;
- Any records of phone calls with customers and partners including date/time, phone number, company and name. This might also include recordings of voice communication for educational and legal purposes. Such a recording would be announced beforehand;
- Where applicable, professional information about customers and partners like name, associated company, job title and contact information.
Depending on the customer relationship, data will fall into one of the following categories:
- Necessary for the legitimate interest of VulDB, without affecting personal interest or fundamental right in freedoms of a client;
- Necessary for preparing or executing services or products a customer has requested at VulDB;
- Required to meet our national and international legal or regulatory obligations.
Purposes of Processing
VulDB is processing personal data only for a specific purpose in the interest of the client relationship. This is in particular:
- Client on-boarding processes to verify your identity;
- Managing our relationship with existing clients;
- Providing products and services requested by clients;
- Guarantee proper availability and execution of requested products and services;
- Helping us to learn about the demands of our customers to optimize products and services;
- Meeting our on-going legal, regulatory, and compliance obligations;
- Ensuring security and safety for clients, employees and partners.
Access to Personal Data
Data located at VulDB (part of pyxyp inc.) is accessible by internal employees only. We follow the least privilege principle where access is minimized to employees only, if and as long as they are assigned to a project or process.
All employees are required to sign a non-disclosure agreement and complete mandatory confidentiality and privacy trainings, as well as our code of conduct training. We are not sharing any kind of personal data with third parties, service providers, authorities, or the public.
The HQ of VulDB is in Zürich, Switzerland. All personal data is stored in Switzerland and will not be transferred or shared outside Switzerland. Accessing and submitting data might let it traverse other countries and adjacent companies (like internet service provider, mail server, web hoster). We have no influence based on technological and topological structure of such Internet connections.
We are not working with ad networks, we are not embedding external libraries, we are not embedding external fonts, and we are not embedding social media buttons. All core files delivered to customers are hosted on VulDB servers.
Under some circumstances we may embed videos from external sources if it helps to enrich the user experience (e.g. YouTube, Vimeo). Such embedded objects always enable all available privacy features (e.g. encryption, disabling 3rd party cookies, http security header) to limit disclosure of personal data to outside entities.
Payment handling might be done by an external service provider. Such extended data processing would be indicated at the beginning of the exchange.
We are providing a Secure Transfer Server, an in-house solution to exchange data via secure channels and to prevent exposed transmission via other countries and companies. Please use additional security measures like encryption (e.g. PGP/SMIME) to increase the security of all your exchanges.
VulDB will only retain personal data as long as necessary to fulfil the purpose for which it was collected. This retention time will comply with legal, regulatory and internal policy requirements. After that retention period the data will be deleted irreversibly.
You have the right to correct inaccurate personal data we collect and process. We are committed to keep your personal data accurate and up-to-date. Therefore, if your personal data changes, please inform us as soon as possible.
Where we process your personal data on the basis of your consent you have the right to withdraw this consent at any time. Please note that this withdrawal may not affect our legal or regulatory obligations of data processing.
You have the right to ask us to stop processing your personal data. You have also the right to ask us to delete personal data already collected and processed. If you are object to direct marketing, you have always the possibility to click an unsubscribe button to halt further direct marketing. We need to store such opt-out inquiries to prevent unwanted processing in the future.
Where personal data is processed after your agreement, it is possible to ask that we transfer all collected data back to you applicable under the data protection laws.
You can exercise the rights set out above by contacting our DPO (Data Protection Officer). See below for contact possibilities.
Exercising Rights and Complaints
If you have any questions or are not satisfied with the collecting and processing of your personal data by VulDB (part of pyxyp inc.), we would be happy to discuss the matters with you and find an acceptable solution. Please contact us:
- Approach your account manager at VulDB directly
- Send feedback by email to firstname.lastname@example.org
- Contact our DPO (Data Protection Officer) with the contact form on our web site
We have state-of-the-art technical and organizational security measures in place to prevent the unauthorized and unlawful access and misuse of personal data. Regular security testing of our services helps us to reduce the attack surface. And further monitoring, logging, and alerting systems help us to identify and react to attack attempts quickly. If you suspect a system to misbehave, please contact us so we may address the issues as soon as possible.
Status of Privacy Notice
This privacy notice was set into effect in May 2018 and updated in June 2019 (clarifying wording, added payment processing). It is a notice explaining what VulDB (part of pyxyp inc.) does. It is not a contractual agreement with customers. We reserve the right to change this notice as needed.
Interested in the pricing of exploits?
See the underground prices here!