Legal

Privacy Policy

This Privacy Policy explains how Secdit ("we", "us", or "our") collects, uses, shares, and retains personal data when you visit our website or use our services, including the ConfigSentry firewall auditing platform.

1. Scope

This policy applies to our public website, ConfigSentry sign-up and account flows, cookie preferences tool, support channels, and audit, reporting, and billing features where available.

By using our website or services, you acknowledge the practices described in this Privacy Policy.

2. Data Controller and Contact

Data controller: Secdit
Contact: support@secdit.com | Contact page

If you have questions about this Privacy Policy or how your data is handled, please contact us using the details above.

3. Personal Data We Collect

3.1 Account and Contact Data

When you create an account, sign in, contact us, or manage a subscription or purchase, we may collect:

  • Name
  • Email address
  • Account login information and authentication data
  • Account or profile information such as company or organisation name, preferences, and settings
  • Billing, purchase, and transaction information where relevant
  • User support and correspondence records

3.2 Service and Audit Data

When you use ConfigSentry, we may process data that you submit or that is generated while delivering the service, including:

  • Raw firewall configuration data uploaded or retrieved for analysis, including temporary encrypted queued payloads where an audit waits for processing
  • Audit findings, scores, reports, and related metadata
  • Identified potential security issues and related review notes
  • Collector metadata and appliance connection details you configure, while locally-entered secrets can remain on the collector host
  • Support requests and correspondence

For the normal hosted audit path, sensitive secret material such as passwords, private certificates, and keys is stripped from the raw configuration before the configuration is placed into the audit queue table for processing. That queued configuration is generally processed within a few minutes and then removed from the queue database. If a manual audit is run with the "Do not save results on website" option selected, the configuration is not saved in an audit queue or other database table and is processed directly in memory only. Audit results, scores, report metadata, and identified potential security issues may still be retained as part of audit history or related account records unless the no-save workflow is used. Those outputs can contain sensitive security-related information about your environment. You are responsible for deciding what you submit and for redacting data where appropriate before upload.

ConfigSentry is currently being offered as an early free trial. A self-service Data Processing Agreement is not currently available. Firewall configuration files can contain sensitive operational information and may contain personal data depending on how an environment is configured. Please only upload configuration files that you are authorised to submit. For early testing, we recommend starting with a lab, test, sample, or sanitised FortiGate configuration where possible. If your organisation requires a Data Processing Agreement, supplier security review, subprocessor details, or specific data-handling terms before uploading production firewall configurations, contact Secdit before using the service.

3.3 Technical and Usage Data

When you visit our website or use our services, our systems may automatically collect:

  • IP address
  • Browser type and version
  • Operating system and device information
  • Request timestamps
  • Pages viewed and basic navigation data
  • Error logs and security logs

3.4 Cookie and Session Data

We use a small number of browser cookies that are necessary for the site to work properly. These are described in our Cookie Policy.

4. How We Use Personal Data

We use personal data to:

  • Create and manage accounts and logins
  • Provide and operate our website and services
  • Run audits and generate reports
  • Process billing and purchases where applicable
  • Respond to support requests
  • Protect the security and integrity of our systems, including fraud prevention and service operation
  • Maintain records and comply with legal obligations

5. Legal Bases

Where GDPR applies, we rely on one or more of the following legal bases:

  • Contract: to provide the service you request and manage your account
  • Legitimate interests: to secure, maintain, and improve our website and services, and to prevent misuse
  • Legal obligation: to comply with laws, tax, accounting, and regulatory requirements
  • Consent: where required for optional cookies or optional communications

6. Sharing of Data

We do not sell personal data.

We may share data with service providers and advisers only where reasonably necessary to operate our business, including infrastructure hosting, payment processing, email delivery, security monitoring, and professional advisers. This includes hosting for the website and ConfigSentry with Hetzner in Nuremberg, Germany. We may also disclose data where required by law or to protect our rights, users, or systems.

7. Retention

In general, we keep personal data, account data, audit results, and related records until you delete them from your account or your account is removed, unless we need to retain them longer for legal, security, accounting, fraud-prevention, or dispute-resolution reasons. For the normal hosted audit path, secret material such as passwords, private certificates, and keys is stripped before the raw configuration is added to the audit queue table. That queued configuration is generally processed within a few minutes and then removed from the queue database. If a manual audit is run with the "Do not save results on website" option selected, the configuration is not saved in an audit queue or other database table and is processed directly in memory only.

Deleting audits, reports, or related account data removes them from the live database immediately. Periodic database backups may still retain deleted data for up to 30 days as part of normal resilience and recovery processes.

8. Security

We use reasonable technical and organisational measures to protect personal data. No system is completely secure, and we cannot guarantee absolute security.

Public web traffic uses HTTPS with TLS 1.2. Internal database connections are also encrypted with TLS and certificate authentication. Passwords are stored in the database in encrypted and/or hashed form. Exported report encryption or password protection, where offered, applies to the downloaded report package and should not be read as a statement about every platform-side storage control. If your review requires more implementation detail, contact Secdit directly.

9. International Transfers

Where personal data is transferred outside the European Economic Area, we use appropriate safeguards where required by law.

10. Your Rights

Depending on where you are located, you may have the right to access your personal data, request deletion or erasure, and request correction of inaccurate or incomplete data where applicable. To exercise those rights, contact us at support@secdit.com or use our contact page.

11. Children

Our website and services are not intended for children, and we do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this policy from time to time. The updated version will be posted on this page when changes are made.

13. Contact

If you have questions about this Privacy Policy or wish to exercise your data protection rights, contact us at support@secdit.com or through our contact page.

Contact Secdit