CSURFACE CSURFACE THREAT SENSOR
  • Home
  • Analytics
  • News
  • About
  • Tools
    • Constellation
  • Libraries
    • CWE
    • CAPEC
    • MITRE ATT&CK
    • MITRE D3FEND
    • OWASP Top 10
    • Ransomware Groups
    • References
  • Support
  • EN | PT
TEMPLATE — Review with legal counsel before production

Privacy Policy

Effective date: April 2026

Table of Contents

  1. Introduction
  2. Information We Collect
  3. How We Use Information
  4. Data Sharing
  5. Data Retention
  6. User Rights
  7. Security Measures
  8. International Transfers
  9. Children's Privacy
  10. Changes to Policy
  11. Contact

1.Introduction

CSURFACE, owner and operator of the CSURFACE Threat Sensor platform (accessible at threatsensor.csurface.io), acts as the data controller for personal data collected through the Platform, under the European Union General Data Protection Regulation (GDPR), the Brazilian General Data Protection Law (LGPD, Law 13.709/2018), and other applicable data protection legislation.

This Privacy Policy transparently describes what personal data we collect, why we collect it, how we use it, whom we share it with, how long we retain it, what rights you have over it, and how you can exercise those rights.

We take privacy seriously and adopt the principle of data minimization: we collect only the information strictly necessary to operate the Platform, ensure service security, and comply with legal obligations. We do not collect personal data without a valid legal basis.

This policy applies to all visitors, registered users (free and paid), API consumers, and any other person who interacts with the CSURFACE Threat Sensor Platform or CSURFACE's related services.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you must not use the Platform.

This policy should be read together with our Terms of Service and Cookie Policy, which together form the complete set of terms governing your relationship with CSURFACE.

2.Information We Collect

CSURFACE Threat Sensor is an open, free platform with no user accounts. As a result, the collection of personal data is minimal.

Connection Data

For service operation and security, we temporarily record technical metadata from your HTTP request:

  • IP address — used to detect anomalous patterns and prevent infrastructure abuse;
  • User-Agent — information about the browser or HTTP client used;
  • URL path and timestamp — recorded in operational logs and discarded per our retention policy.

We do not maintain accounts, do not process passwords, do not store payment data, and do not operate subscription plans. We do not use third-party tracking, advertising, or analytics cookies.

Cookies

We use only strictly necessary cookies to preserve your language preference. See our Cookie Policy for complete details.

3.How We Use Information

We use the connection data we collect exclusively for the following legitimate purposes:

  • Operate the service — deliver pages, run queries, and provide the public API;
  • Security — detect and block infrastructure abuse, mass scraping, and exploitation attempts;
  • Operational improvement — analyze aggregated, anonymized-when-possible usage patterns;
  • Legal obligations — respond to requests from competent authorities or court orders when applicable.

We do not use data for: (a) third-party marketing; (b) profiling for targeted advertising; (c) training artificial intelligence models without explicit consent; (d) selling to data brokers or similar entities.

Legal bases for processing are legitimate interests (service operation, security) and legal obligation (when applicable).

4.Data Sharing

Because the Platform is free, account-free, and payment-free, sharing of personal data with third parties is limited to the strict minimum necessary to operate the infrastructure.

What we do NOT do

We do not sell your personal data. CSURFACE does not sell, rent, trade, or commercialize in any way the personal data of its users with third parties. We do not share data with data brokers, advertising networks, profile aggregators, or similar entities.

Legal Compliance Disclosure

We may disclose personal data when strictly necessary to: (a) comply with legal, regulatory, or tax obligations; (b) respond to subpoenas, court orders, or requests from competent authorities; (c) protect the rights, property, or safety of CSURFACE, users, or third parties; (d) investigate and prevent fraud or abuse; (e) in connection with a merger, acquisition, or asset sale, always with prior notice to users when legally permitted.

Whenever legally possible, we will notify you before disclosing your data in response to government requests, except when prohibited by law or when such notification could harm an ongoing investigation.

Infrastructure Subprocessors

Our infrastructure uses hosting, storage, and CDN providers that process data on our behalf under data processing agreements (DPAs). These subprocessors are subject to strict security and confidentiality requirements.

5.Data Retention

We retain connection data only for as long as necessary to fulfill the purposes described in this policy, except when a longer period is required or permitted by law. The main retention periods are:

Data CategoryRetention Period
Operational logs (IP, User-Agent, URL path, timestamp)90 days
Audit logs (infrastructure security events)24 months
Encrypted backups (disaster recovery)30 days

Aggregated and fully anonymized data, which cannot be linked to an individual, may be retained for longer periods for statistical purposes, research, and service improvement.

In cases of legal disputes, ongoing investigations, or active regulatory obligations, we may retain specific data beyond standard periods, for the time strictly necessary.

6.User Rights (GDPR / LGPD)

Under LGPD, GDPR, and other applicable data protection laws, you have the following rights regarding your personal data processed by CSURFACE:

  • Right of access — obtain confirmation about the existence of processing of your data and receive a copy of the personal data we hold about you, in a structured and readable format;
  • Right of rectification — request correction of incomplete, inaccurate, or outdated data. Many of these data points can be corrected directly in the Platform's profile area;
  • Right of erasure (right to be forgotten) — request deletion of your personal data, except when necessary for compliance with legal obligations, regular exercise of rights in judicial proceedings, or overriding legitimate interests;
  • Right of portability — receive your personal data in a structured, commonly used (JSON), and machine-readable format, for transfer to another service of your choice;
  • Right to information — obtain clear information about the public or private entities with which we share your data;
  • Right to review of automated decisions — request review of decisions made solely based on automated processing that affect your interests;
  • Right to object — object to processing carried out based on legitimate interest, when reasons related to your particular situation are present;
  • Right to withdraw consent — withdraw previously granted consents, at any time, without prejudice to the legality of prior processing.

How to exercise your rights

To exercise any of these rights, you may:

  • Access your profile area on the Platform, where many actions are available directly (edit data, download data, delete account);
  • Send a formal request to [email protected] clearly indicating which right you wish to exercise;
  • Include reasonable identification so that we can verify that the request was made by the legitimate data subject (typically, the registered email).

We will respond to requests within 15 days (LGPD) or 30 days (GDPR), extendable in case of complex or high-volume requests, always with justification.

You also have the right to lodge a complaint with the National Data Protection Authority (ANPD, Brazil) or the competent data protection authority in your jurisdiction, if you believe that the processing of your data infringes applicable legislation.

7.Security Measures

We implement robust technical and organizational measures to protect your personal data against unauthorized access, improper disclosure, alteration, loss, or destruction. Our main measures include:

  • Encryption at rest — sensitive data stored in the database is protected with strong encryption (AES-256). Backups are equally encrypted;
  • TLS in transit — all communications between your browser and the Platform use TLS 1.2+ with modern cipher suites, ensuring data confidentiality and integrity;
  • Audit logging — we log sensitive events related to infrastructure operation for security investigation purposes;
  • Least-privilege access control — access to production systems is restricted to authorized CSURFACE staff, following the principle of least privilege, with strong authentication and audit logging;
  • Anti-abuse safeguards — we apply technical measures to prevent mass scraping and infrastructure abuse, without any commercial distinction between visitors;
  • Continuous monitoring — we monitor infrastructure and application to detect anomalies, intrusion attempts, and suspicious behavior;
  • Security updates — we keep operating systems, libraries, and dependencies updated with regular security patches;
  • Environment segregation — development, staging, and production environments are strictly segregated, and real data is not replicated to non-production environments.

Despite all efforts, no system is 100% secure. If we become aware of a personal data breach that represents a risk to your rights, we will notify you and the competent data protection authority within applicable legal deadlines (72 hours under GDPR, reasonable period under LGPD).

You also play an important role in the security of your data: use strong and unique passwords, enable 2FA, do not share credentials, keep your browser and operating system updated, and report suspicious activity to [email protected].

8.International Data Transfers

CSURFACE may process and store personal data on servers located in jurisdictions different from yours, including countries outside Brazil or the European Union, depending on the location of our infrastructure and subprocessor providers.

[PLACEHOLDER — Specific list of countries where data is processed will be published here after final legal review, including information about the hosting provider and geographic regions used.]

When we transfer personal data to jurisdictions that do not offer a level of protection considered adequate by Brazilian or European authorities, we adopt appropriate safeguard mechanisms, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Data processing agreements (DPAs) with equivalent contractual protection commitments;
  • Certifications of compliance with recognized regimes (ISO 27001, SOC 2, etc.);
  • Data protection impact assessment when applicable.

You may request more information about specific international transfers applicable to your data and the safeguard mechanisms adopted through [email protected].

9.Children's Privacy

The CSURFACE Threat Sensor Platform is not intended for users under 18 years of age. We do not intentionally collect personal data from minors under 18, since the content and nature of the platform (professional threat intelligence) are intended exclusively for adult professionals.

If we become aware that we have inadvertently collected personal data from a minor under 18 without proper legal authorization, we will take measures to delete such information from our systems as soon as possible.

If you are a parent, legal guardian, or caretaker and believe that a minor under your responsibility has provided us with personal data, contact us immediately at [email protected] so that we can remove the relevant information.

10.Changes to Policy

This Privacy Policy may be updated periodically to reflect changes in our practices, new Platform features, changes in legal requirements, or improvements in data protection measures.

When we make material changes to this policy, we will notify you by email to the address associated with your account, with reasonable advance notice of the effective date of the new practices. The date of the last update will always be displayed at the top of this page.

For significant changes that affect how we use your data, we may request your explicit consent again, when legally required.

Continued use of the Platform after the effective date of the changes constitutes your agreement with the updated version of this policy. If you do not agree with the changes, you must discontinue use of the Platform and may request deletion of your account.

Previous versions of this Privacy Policy may be made available upon request to [email protected] for historical reference and transparency purposes.

11.Contact

For privacy questions, exercise of data subject rights, deletion or data access requests, or complaints related to the processing of personal data, contact us:

  • Privacy email: [email protected]
  • Security email: [email protected]
  • Data Protection Officer (DPO): to be designated and published after final legal review;
  • Controller: CSURFACE (complete information will be published here after legal review);
  • Web: threatsensor.csurface.io

We will respond to all legitimate requests within applicable legal deadlines. For urgent requests related to security incidents, use [email protected].

Effective date of this Policy: April 2026

CSURFACE Threat Sensor — A CSURFACE project

Terms · Privacy · Cookies