In summary
- Data is encrypted in transit and at rest, hosted on AWS (EU and US regions).
- Access is least-privilege with multi-factor authentication.
- We maintain logging, monitoring, vulnerability management, and an incident-response process.
- We publish our subprocessors and give 30 days' notice of changes.
- We support GDPR, UK GDPR, and US state privacy rights, with SCCs/UK IDTA for transfers and a DPA available to customers.
- Report security issues to security@seeblindspot.com; we offer a good-faith researcher safe harbor.
Infrastructure and Hosting
The Platform runs on Amazon Web Services (AWS), managed with DoiT, in EU data centers (for EEA customer data) and US data centers (for other customers). We rely on AWS's physical and environmental security and certifications for the underlying infrastructure.
Data Protection Controls
- Encryption of data in transit (TLS 1.2+) and of stored personal data at rest.
- Access control on a least-privilege basis, with multi-factor authentication for administrative and remote access, and prompt deprovisioning.
- Network and application security controls, including segmentation and managed cloud-security tooling.
- Logging, monitoring, and alerting across key systems.
- Vulnerability and patch management and secure software-development practices.
- Backups and tested restoration for resilience.
People and Vendors
Personnel are bound by confidentiality, complete security training, and receive access only as needed. We perform due diligence on subprocessors and bind them to data-protection obligations no less protective than our own. Our current subprocessor list is published and updated with 30 days' notice of changes.
Privacy and Data Rights
- We process personal data under GDPR, UK GDPR, and applicable US state privacy laws.
- SC FREEDOM MASK SRL (Romania) is our EU establishment; dpo@seeblindspot.com is our data-protection contact.
- We use the EU Standard Contractual Clauses and the UK International Data Transfer Addendum for cross-border transfers.
- We do not sell personal data. Individuals can exercise access, correction, deletion, portability, and opt-out rights via Your Privacy Choices.
- A Data Processing Addendum is available to customers, with subprocessor transparency, breach notification, audit assistance, and return/deletion terms.
Incident Response and Breach Notification
We maintain a documented incident-response process. For personal-data breaches affecting customer data, we notify affected customers without undue delay and, where practicable, within 48 hours of confirming the breach, and provide the information they need to meet their own obligations.
Availability and Communications
We communicate significant incidents and maintenance by email and in-Platform notice. Enterprise customers may agree named contacts and escalation paths in their Order.
Responsible Disclosure
If you discover a vulnerability, report it in good faith to security@seeblindspot.com. If you act in good faith, accessing only the data needed to demonstrate the issue, not degrading our service or others' data, and not disclosing publicly before we remediate; we will not pursue or support legal action against you, and we will work with you to confirm and fix the issue.
Compliance Roadmap
We continue to mature our governance toward recognized frameworks (such as the NIST Privacy and Cybersecurity Frameworks and ISO/IEC 27001 practices). Formal third-party certifications, where pursued, will be listed here as they are obtained. For current diligence materials, contact security@seeblindspot.com.
*Security: security@seeblindspot.com · Privacy: dpo@seeblindspot.com.*
Version History
| Version | Date | Summary |
|---|---|---|
| 1.0 | 14 June 2026 | Current published version. Prior internal counsel-review drafts are superseded. |