Privacy Policy

1. Introduction and Scope

Alex Terrats Ciberseguretat SLU (DAB SecurePeak) ("SecurePeak," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website (www.securepeak.com), use our services, or otherwise interact with us.

This Privacy Policy applies to all SecurePeak services, including but not limited to: Cryptographic Infrastructure Services (PKI, HSM, Post-Quantum Migration, Protocol Design, Secrets Management), Offensive Security Services (penetration testing, red team operations, vulnerability research), Defensive Operations (security monitoring, incident response, threat detection), Edge Infrastructure Services, Applied Research Services, and our Certificate Management Portal.

By using our website or services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our services.

2. Regulatory Compliance Framework

SecurePeak operates globally and complies with applicable data protection regulations in all jurisdictions where we conduct business. Our privacy practices are designed to meet or exceed the requirements of the following frameworks:

3. Information We Collect

3.1 Information You Provide Directly

We collect information you voluntarily provide when you interact with us:

• Account Information: Name, email address, phone number, organization name, job title, and billing information when you create an account or engage our services.
• Service-Specific Information: Technical details about your infrastructure, systems, networks, and security configurations necessary to deliver our services.
• Certificate Information: For Certificate Management Portal users: organization details, domain information, CSR data, contact information for certificate validation, and identity verification documents for OV/EV certificates.
• Communications: Content of emails, support tickets, chat conversations, and other communications with our team.
• Engagement Information: Scope documents, rules of engagement, authorization forms, and other contractual documentation for security assessments.

3.2 Information Collected Automatically

When you visit our website or use our services, we automatically collect certain information:

• Device Information: IP address, browser type and version, operating system, device identifiers, and hardware attributes.
• Usage Data: Pages visited, time spent on pages, click patterns, referring URLs, and navigation paths.
• Log Data: Server logs, access times, error logs, and security event logs.
• Location Data: General geographic location derived from IP address (country/region level only).

3.3 Information from Third Parties

We may receive information about you from third parties:

• Certificate Authorities: Validation status, certificate issuance records, and revocation information from SSL.com and other CA partners.
• Business Partners: Referral information from partner organizations.
• Public Sources: Publicly available information for client verification and due diligence purposes.
• Threat Intelligence: Anonymized threat data from industry sharing organizations (ISACs, CERTs).

3.4 Special Categories of Data

In the course of delivering security services, we may process or encounter special categories of personal data (sensitive data). We process such data only when strictly necessary for service delivery, with explicit consent, or under applicable legal bases. This includes data encountered during penetration testing, incident response, or forensic investigations conducted under client authorization.

4. How We Use Your Information

4.1 Service Delivery

• Providing cryptographic infrastructure services including PKI design, HSM deployment, and certificate management
• Conducting authorized security assessments, penetration tests, and red team operations
• Delivering defensive security services including monitoring, detection, and incident response
• Operating edge infrastructure and XDR/SIEM platforms
• Processing certificate orders through the Certificate Management Portal
• Providing technical support and customer service

4.2 Legal Bases for Processing (GDPR/LOPD)

Purpose	Legal Basis
Service delivery and contract performance	Performance of contract (Art. 6(1)(b) GDPR)
Certificate issuance and validation	Performance of contract; Legal obligation
Security monitoring and threat detection	Legitimate interests (Art. 6(1)(f) GDPR)
Compliance with CA/Browser Forum requirements	Legal obligation (Art. 6(1)(c) GDPR)
Marketing communications	Consent (Art. 6(1)(a) GDPR)
Fraud prevention and security	Legitimate interests
Legal claims and compliance	Legal obligation; Legitimate interests

4.3 Business Operations

• Account management and billing
• Service improvement and development
• Analytics and performance monitoring
• Training and quality assurance (with appropriate safeguards)
• Compliance with legal and regulatory obligations

5. Information Sharing and Disclosure

5.1 We Do Not Sell Personal Data

SecurePeak does not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not participate in data broker activities.

5.2 Authorized Disclosures

We may share your information in the following circumstances:

• Service Providers: Third-party vendors who assist in service delivery (cloud infrastructure, payment processing, support systems) under strict contractual data protection obligations.
• Certificate Authorities: SSL.com and other CA partners for certificate issuance, validation, and revocation services. Certificate information is published according to CA/Browser Forum requirements.
• Legal Requirements: When required by law, subpoena, court order, or governmental request; to protect our rights, privacy, safety, or property; to enforce our agreements.
• Business Transfers: In connection with a merger, acquisition, or sale of assets, subject to confidentiality agreements.
• With Your Consent: When you have provided explicit authorization for specific disclosures.

5.3 Engagement-Specific Disclosures

For security assessment engagements, findings and reports are delivered exclusively to authorized client contacts as specified in the engagement agreement. We maintain strict confidentiality of all vulnerability information, attack paths, and sensitive technical details discovered during assessments.

6. International Data Transfers

SecurePeak operates globally and may transfer personal data across international borders. For transfers from the EEA, UK, or Switzerland to countries not deemed adequate by relevant authorities, we implement appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all service providers
• Technical measures including encryption in transit and at rest
• Access controls and audit logging

Andorra is recognized as providing adequate data protection, facilitating transfers between the EU and our Andorran operations.

7. Data Retention

We retain personal data only as long as necessary for the purposes described in this Privacy Policy:

Data Category	Retention Period
Account and billing records	Duration of relationship + 7 years (legal/tax requirements)
Certificate records	Certificate lifetime + 10 years (CA/Browser Forum requirements)
Security assessment reports	As specified in engagement agreement, minimum 3 years
Incident response records	7 years or as required by applicable regulations
Support communications	3 years after resolution
Website analytics	26 months (anonymized thereafter)
Marketing consent records	Duration of consent + 3 years

8. Your Privacy Rights

8.1 Rights Under GDPR and Andorran LOPD

If you are located in the European Economic Area or Andorra, you have the following rights:

• Right of Access: Obtain confirmation of whether we process your data and receive a copy of your personal data.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data under certain circumstances.
• Right to Restriction: Request limitation of processing under certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format.
• Right to Object: Object to processing based on legitimate interests, including profiling.
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent.
• Rights Related to Automated Decision-Making: Not be subject to decisions based solely on automated processing with legal or significant effects.

8.2 Rights Under U.S. State Privacy Laws (CCPA/CPRA, VCDPA, etc.)

If you are a resident of California or other U.S. states with comprehensive privacy laws, you have rights including:

• Right to Know: Request disclosure of personal information collected, used, and disclosed.
• Right to Delete: Request deletion of personal information, subject to exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out: Opt out of the sale or sharing of personal information (note: we do not sell personal information).
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising privacy rights.
• Right to Limit Use of Sensitive Personal Information: Direct us to limit use of sensitive personal information to necessary purposes.

8.3 Exercising Your Rights

To exercise any of these rights, please contact us using the information in Section 13. We will respond within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA). We may need to verify your identity before processing your request.

9. Security Measures

As a security services provider, we implement industry-leading security measures to protect your information:

• Encryption of data in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication for all system access
• Role-based access controls with principle of least privilege
• Regular security assessments and penetration testing
• 24/7 security monitoring and incident response capabilities
• Employee security training and background checks
• Physical security controls at all facilities
• Business continuity and disaster recovery procedures
• SOC 2 Type II certified operations

10. Cookies and Tracking Technologies

Our website uses cookies and similar technologies to enhance your experience. We use:

• Essential Cookies: Required for website functionality and security. Cannot be disabled.
• Analytics Cookies: Help us understand website usage (with your consent in applicable jurisdictions).

We do not use advertising cookies or tracking pixels. You can manage cookie preferences through your browser settings or our cookie consent mechanism.

11. Children's Privacy

Our services are not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete such information promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or applicable laws. We will notify you of material changes by posting a notice on our website and, where required, by email. Changes become effective 30 days after posting unless otherwise specified.