Legal

Privacy Policy

Last updated: February 12, 2026

1. Introduction

BIT SENTINEL SECURITY SRL (“BIT SENTINEL”, “we”, “us”, or “our”), a company registered in Romania (EU) under registration number RO34300479, operates the Red Team Cockpit platform (“Platform”, “Service”). This Privacy Policy describes how we collect, use, store, and protect your personal data when you use our Platform, visit our website, or interact with our services.

We are committed to protecting your privacy and handling your data in accordance with the General Data Protection Regulation (GDPR), Romanian data protection laws, and other applicable legislation.

Access to the Platform is provided under a contractual agreement. Additional data processing terms, confidentiality clauses, and service-specific obligations may apply as defined in your individual service contract, data processing agreement (DPA), or order form. In the event of any conflict between this Privacy Policy and your service agreement, the terms of the service agreement shall prevail.

2. Data Controller

BIT SENTINEL SECURITY SRL
Registration Number: RO34300479
Headquarters: Romania, European Union
Contact: [email protected]

3. Data We Collect

3.1 Account Data

When you register for the Platform, we collect:

  • Full name and email address
  • Password (stored as a bcrypt hash - we never store plaintext passwords)
  • Organization/company name
  • Role within the Platform (administrator, pentester, or client)
  • Profile avatar (if uploaded)
  • Two-factor authentication (2FA) configuration data

3.2 Project & Engagement Data

In the course of using the Platform for penetration testing and red team management, you and your team may store:

  • Project metadata (names, dates, status, team assignments)
  • Scope definitions including target assets (IP addresses, domains, URLs, CIDR ranges)
  • Vulnerability findings (descriptions, severity scores, evidence, screenshots, proof-of-concept data)
  • Remediation tracking data (fix status, timelines, assignees)
  • Comments, notes, and activity logs
  • Generated reports (PDF, DOCX)

3.3 Credentials & Sensitive Data

The Platform allows users to securely store test credentials (usernames, passwords, SSH keys, API tokens, VPN configurations, certificates) required for penetration testing engagements. All credentials are encrypted at rest using AES-256 encryption.

3.4 Client Contact Data

Organizations using the Platform may store client contact information (names, email addresses, phone numbers) for engagement coordination and scope approval workflows.

3.5 Usage & Technical Data

We collect limited technical data to ensure Platform functionality and security:

  • IP addresses (for access control and IP whitelisting features)
  • Browser type and device information
  • Session data and authentication tokens
  • Activity logs (actions performed, timestamps)

3.6 Contact Form Data

If you contact us through the website, we collect your name, email address, company, role, and the content of your message.

4. How We Use Your Data

We process your data for the following purposes:

  • Service delivery: To provide, maintain, and operate the Platform and its features
  • Authentication & security: To verify identity, enforce access controls, and protect against unauthorized access
  • Collaboration: To enable real-time collaboration, comments, task assignments, and notifications between team members and clients
  • Report generation: To produce penetration testing reports in PDF and DOCX formats
  • AI-assisted features: To generate vulnerability descriptions, remediation recommendations, and impact assessments when you use the AI Writing Assistant (see Section 6)
  • Communication: To respond to your inquiries and send service-related notifications
  • Compliance: To maintain audit trails and support compliance documentation requirements
  • Improvement: To improve Platform functionality, fix bugs, and enhance user experience

5. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Platform and fulfill our contractual obligations
  • Legitimate interest (Art. 6(1)(f)): Processing necessary for security, fraud prevention, and service improvement
  • Legal obligation (Art. 6(1)(c)): Processing required by law (e.g., tax, accounting, regulatory compliance)
  • Consent (Art. 6(1)(a)): Where we request your explicit consent (e.g., for optional AI features or marketing communications)

6. AI-Assisted Processing & Third-Party Providers

The Platform includes optional AI-powered features that assist with generating and processing security-related content such as vulnerability descriptions, remediation guidance, impact assessments, and other documentation. When these features are used - either directly by your team through the Platform or by BIT SENTINEL's penetration testing team as part of a managed security engagement - relevant data may be processed through third-party AI providers.

Depending on the configuration, the following AI providers may be used:

  • Google (Gemini) - Google Cloud AI services
  • OpenAI - GPT-based language models
  • Anthropic - Claude language models

AI-assisted processing is used solely to support security assessment workflows and improve the quality and efficiency of deliverables. No data is sent to AI providers unless an AI-powered feature is actively used. The specific scope of AI-assisted processing, including any limitations or exclusions, may be further defined in your service contract or data processing agreement.

If you engage BIT SENTINEL's team of penetration testers for managed security assessments, our security professionals may use AI-assisted tools within the Platform to process engagement-related information as part of the service delivery. This is covered under the contractual terms governing the engagement.

We also use the following service providers:

  • Postmark - Transactional email delivery
  • Hosting providers - Infrastructure hosting within the European Union

7. Data Security

We implement industry-standard security measures to protect your data. Given the sensitive nature of penetration testing data - including vulnerability findings, proof-of-concept evidence, remediation details, and generated reports - we apply encryption and strict access controls across all layers of the Platform:

  • AES-256 encryption for stored credentials, vulnerability findings, report content, and sensitive files at rest
  • TLS encryption for all data in transit
  • Encrypted storage of finding descriptions, evidence, proof-of-concept data, and remediation guidance
  • Bcrypt password hashing
  • Two-factor authentication (TOTP)
  • Role-based access control (RBAC) ensuring users only access data relevant to their role and engagements
  • IP whitelisting capabilities
  • Comprehensive audit logging of all data access and modifications
  • Regular security assessments and penetration testing of our own infrastructure

8. Data Retention

Data retention periods are defined in your service contract or data processing agreement. We retain your data for as long as your account is active or as needed to provide the Service. Project and engagement data is retained for the duration specified in your agreement. Upon account termination or request, we will delete or anonymize your personal data within the period specified in your contract (or 30 days if not specified), unless retention is required by law or contractual obligation.

9. Data Transfers & Residency

Your data is primarily stored and processed within the European Union. Specific data residency requirements, storage locations, and transfer restrictions may be defined in your service contract or data processing agreement. Where data transfers outside the EU are necessary (e.g., when using AI providers as described in Section 6), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

10. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data (“right to be forgotten”)
  • Right to restrict processing: Request limitation of how we process your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

11. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) or your local data protection authority within the EU.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, where appropriate, by email. Continued use of the Platform after changes constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions or requests, contact us at:

BIT SENTINEL SECURITY SRL
Email: [email protected]
Registration: RO34300479
Location: Romania, European Union