Scuto is launching soon — book a demo to get early access Book demo →
Scuto Scuto
Privacy

Your data, protected

How we handle, store, and safeguard your information — and how our self-hosted deployment ensures your data never leaves your infrastructure.

Last updated: March 1, 2026 · Effective date: March 1, 2026

No client data collection

We don't access or analyze your security scan data for our own purposes. Your vulnerability findings and configurations belong to you.

Encrypted at rest and in transit

TLS 1.3 in transit, AES-256 at rest. Scan credentials encrypted with per-organization keys.

Self-hosted option

Deploy entirely within your infrastructure. Zero outbound connections. Your data never leaves your network.

Learn more →

No selling, no ads

We never sell your data, use it for advertising, or share it with data brokers.

You own your data

Export or delete anytime. Full portability in PDF, CSV, and JSON.

GDPR compliant

SCUTO SRL is registered in Romania (EU). Your data is processed in accordance with GDPR.

Table of Contents
  1. Introduction and Scope
  2. Data Controller
  3. Definitions
  4. Data We Collect
  5. Legal Basis for Processing
  6. How We Use Your Data
  7. Data Sharing and Disclosure
  8. Sub-Processors
  9. International Data Transfers
  10. Data Retention
  11. Data Security
  12. Cookies and Tracking Technologies
  13. Your Rights Under GDPR
  14. Your Rights Under CCPA/CPRA
  15. Other Jurisdictions
  16. Children's Privacy
  17. Third-Party Links
  18. Data Processing Agreement
  19. Changes to This Policy
  20. Self-Hosted & Air-Gapped Deployments
  21. Contact Us

1. Introduction and Scope

SCUTO SRL ("Scuto," "we," "us," or "our") is committed to protecting the privacy of individuals who visit our website (scuto.ai), use our platform, or otherwise interact with our services. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal data when you use our cybersecurity platform — including cloud security, EDR/XDR, device management, penetration testing, container scanning, and compliance automation — our website, and related services (collectively, the "Services").

This policy applies to all users of our Services, including account holders, team members, website visitors, and any person whose personal data is processed through the platform. By using our Services, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR) and the UK GDPR, SCUTO SRL, a company registered in Romania (EU), is the data controller for personal data collected through our website and in connection with account management. When processing scan data on behalf of our customers, Scuto acts as a data processor, and the customer organization acts as the data controller.

SCUTO SRL

Registered in Romania (EU)

Email: privacy@scuto.ai

3. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR.

"Customer Data" means data submitted by or on behalf of a customer to the platform, including scan targets, scan results, vulnerability findings, and configuration settings.

"Usage Data" means data collected automatically about how you interact with our Services, including log data, device information, and analytics.

"Sub-Processor" means a third-party service provider that processes personal data on our behalf.

4. Data We Collect

4.1 Account and Identity Data

When you create an account, we collect your full name, email address, company name, job title, and password (stored as a salted hash). If you sign up using a third-party identity provider (e.g., Google, GitHub), we receive your name, email, and profile identifier from that provider.

4.2 Billing and Payment Data

When you purchase a subscription, our payment processor (Stripe) collects your payment card number, expiration date, billing address, and related financial information. Scuto does not store your full credit card number. We receive from Stripe a tokenized reference, last four digits, card brand, and billing address for record-keeping and receipt purposes.

4.3 Scan and Security Data

When you use our scanning services, we process scan target URLs, IP addresses, domain names, cloud account identifiers, repository URLs, and scan configuration parameters. Scan results include discovered vulnerabilities, severity ratings, technical evidence (screenshots, video recordings, HTTP request/response pairs), and remediation guidance. This data belongs to you (the customer) and is processed on your behalf.

4.4 Cloud Integration Data

When you connect cloud accounts (AWS, Azure, GCP) or source code repositories (GitHub), we receive read-only access credentials (IAM roles, service principals, or OAuth tokens) scoped to the minimum permissions required for scanning. These credentials are encrypted at rest with per-organization keys and used solely to perform authorized scans.

4.5 Usage and Analytics Data

We automatically collect information about how you interact with our Services, including: pages visited, features used, scan frequency, dashboard interactions, browser type and version, operating system, IP address, referring URL, session duration, and general geographic location (city/country level). We use this data to improve our Services and do not use it for advertising purposes.

4.6 Communication Data

When you contact us via email, contact forms, or support channels, we collect the content of your communications, your email address, and any attachments you provide. We use this data to respond to your inquiries and improve our support processes.

4.7 Audit and Log Data

We maintain detailed audit logs of all actions performed within the platform, including logins, scan initiations, configuration changes, team member invitations, and report exports. Audit logs include timestamps, user identifiers, IP addresses, and action descriptions.

4.8 Self-Hosted Deployments

For self-hosted and air-gapped deployments, Scuto does not collect, receive, or have access to any Customer Data, Scan Results, credentials, or configurations. All data remains entirely within your infrastructure. The data categories described in Sections 4.1–4.7 apply only to the SaaS deployment. In self-hosted mode, the only data Scuto receives is what you explicitly provide through support channels.

5. Legal Basis for Processing

Under the GDPR (Article 6), we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing necessary to provide the Services you have subscribed to, including account management, scan execution, and result delivery.
  • Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, such as improving our Services, ensuring platform security, preventing fraud, and conducting analytics. We balance these interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as tax regulations, anti-money laundering requirements, and responding to lawful government requests.
  • Consent (Art. 6(1)(a)): Where required, we obtain your consent for specific processing activities, such as sending marketing communications. You may withdraw consent at any time.

6. How We Use Your Data

We use the data we collect for the following purposes:

  • Service delivery: Provisioning accounts, executing scans, generating reports, mapping compliance frameworks, and delivering scan results.
  • Platform operation: Maintaining infrastructure, monitoring performance, diagnosing errors, and ensuring availability.
  • Security: Detecting and preventing unauthorized access, abuse, fraud, and other malicious activities on our platform.
  • Product improvement: Analyzing usage patterns to improve scanner accuracy, user experience, and feature development. We never use your scan data or vulnerability findings to train machine learning models without explicit consent.
  • Billing and administration: Processing payments, sending invoices, managing subscriptions, and enforcing usage limits.
  • Communications: Sending transactional emails (scan completion, security alerts, account changes), responding to support requests, and — with your consent — sending product updates and security advisories.
  • Legal compliance: Meeting our obligations under applicable laws and regulations, responding to legal processes, and protecting our rights.

We do not sell your personal data. We do not use your personal data for behavioral advertising or share it with data brokers. We do not use your scan results or vulnerability data for any purpose other than providing Services to you.

7. Data Sharing and Disclosure

We may share your personal data in the following circumstances:

  • Sub-processors: With trusted third-party service providers who process data on our behalf under contractual obligations that require them to protect your data (see Section 8).
  • Within your organization: Account administrators and team members within your workspace may access scan data, reports, and activity logs as permitted by your organization's role-based access controls.
  • Legal requirements: When required by law, regulation, legal process, or governmental request. We will notify you of such requests unless prohibited by law or court order.
  • Protection of rights: When necessary to enforce our Terms of Service, protect our rights, safety, or property, or the rights of others.
  • Business transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets. In such cases, your data would remain subject to this Privacy Policy, and we will notify you of any change in data controller.
  • With your consent: In any other circumstances where we have obtained your explicit consent.

8. Sub-Processors

We use the following categories of sub-processors to deliver our Services. Each sub-processor is bound by data processing agreements that include obligations consistent with GDPR requirements:

Provider Purpose Location
Cloud hosting provider Infrastructure and platform hosting US / EU
Stripe Payment processing and billing US
Resend Transactional email delivery US
Google Analytics Website analytics and usage insights US
Error monitoring provider Application error tracking and diagnostics US

A complete, up-to-date list of sub-processors is available upon request. We will notify customers of any new sub-processor additions at least 30 days before they begin processing data, providing you the opportunity to object.

Self-hosted deployments: Self-hosted deployments do not involve any sub-processors. All processing occurs within your infrastructure.

9. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), the United Kingdom, or your country of residence. When we transfer data outside the EEA or UK, we rely on one or more of the following safeguards:

  • EU-US Data Privacy Framework: For transfers to US-based providers that are certified under the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): European Commission-approved SCCs (2021 version) incorporated into our data processing agreements.
  • Adequacy decisions: Transfers to countries that the European Commission has determined provide an adequate level of data protection.

We supplement these transfer mechanisms with additional technical and organizational measures, including encryption in transit and at rest, access controls, and contractual obligations on sub-processors.

Self-hosted deployments: Self-hosted deployments involve no international data transfers by Scuto, as all data processing occurs within your infrastructure.

10. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law.

Data Category Retention Period
Account data Duration of account plus 30 days after deletion
Scan results and vulnerability data Per subscription plan (30 days to unlimited)
Billing and transaction records 7 years (tax and legal obligations)
Audit logs Duration of subscription plus 1 year
Usage and analytics data 26 months (then aggregated/anonymized)
Support communications 3 years after resolution
Cloud integration credentials Until revoked by you or account deletion

Upon account deletion, we will remove or anonymize your personal data within 30 days, except where retention is required by law. Scan data and vulnerability reports are permanently deleted within 30 days of account closure or upon your earlier written request.

Self-hosted deployments: For self-hosted deployments, data retention is entirely under your control. Scuto has no access to delete or modify your data.

11. Data Security

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:

  • Encryption: All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Scan credentials are encrypted with per-organization keys managed through a dedicated key management service.
  • Tenant isolation: Each organization's data is logically isolated at the database level. Scan results, credentials, and configurations are never accessible across tenants.
  • Access controls: Internal access to production systems follows the principle of least privilege, with multi-factor authentication required for all personnel. Access is reviewed quarterly.
  • Infrastructure security: VPC isolation, WAF protection, DDoS mitigation, egress filtering, and continuous vulnerability scanning of our own infrastructure.
  • Monitoring: 24/7 monitoring with automated alerting for anomalous access patterns. Security events are logged and retained for incident investigation.
  • Incident response: We maintain a documented incident response plan. In the event of a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

For more details, see our Security page.

Self-Hosted Security

For self-hosted deployments, you control all security measures including encryption keys, network access, and authentication. Scuto provides hardened deployment artifacts and security guidance but has no access to your running instance.

12. Cookies and Tracking Technologies

12.1 Essential Cookies

These cookies are strictly necessary for the operation of our Services. They include session identifiers for authentication, CSRF protection tokens, and user preference storage (e.g., theme selection). These cookies do not require consent as they are necessary for the service to function.

12.2 Analytics Cookies

We use Google Analytics to understand how visitors interact with our website. Google Analytics uses cookies to collect anonymized usage data such as pages visited, session duration, and referral sources. We do not use advertising-based tracking features. Where required by law, we obtain consent before placing analytics cookies.

12.3 What We Do Not Use

We do not use advertising cookies, social media tracking pixels, cross-site tracking, or fingerprinting technologies. We do not participate in ad networks or sell data to advertisers. We do not share cookie data with third parties for their own marketing purposes. Google Analytics data is used solely for website improvement and is not linked to personal identifiers.

12.4 Managing Cookies

You can control and delete cookies through your browser settings. Blocking essential cookies may affect the functionality of our Services. Most modern browsers allow you to set preferences for cookie handling, including blocking third-party cookies.

13. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the GDPR and UK GDPR:

  • Right of access (Art. 15): You have the right to request a copy of the personal data we hold about you and information about how it is being processed.
  • Right to rectification (Art. 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
  • Right to erasure (Art. 17): You have the right to request deletion of your personal data where there is no compelling reason for its continued processing, subject to legal retention requirements.
  • Right to restrict processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21): You have the right to object to processing based on legitimate interests, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
  • Right to withdraw consent (Art. 7(3)): Where processing is based on consent, you have the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint (Art. 77): You have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.
  • Rights related to automated decision-making (Art. 22): We do not make automated decisions that produce legal effects concerning you or similarly significant effects based solely on automated processing. Vulnerability severity ratings are automated but are supplementary tools, not decisions affecting your legal rights.

To exercise any of these rights, contact us at privacy@scuto.ai. We will respond within 30 days. We may request verification of your identity before processing your request. These rights are provided free of charge, except where requests are manifestly unfounded or excessive.

14. Your Rights Under CCPA/CPRA (California Residents)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

  • Right to know: You have the right to know what personal information we collect, use, disclose, and sell (if applicable). You may request the specific pieces of personal information we have collected about you in the preceding 12 months.
  • Right to delete: You have the right to request deletion of your personal information, subject to certain exceptions.
  • Right to correct: You have the right to request correction of inaccurate personal information.
  • Right to opt out of sale/sharing: We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no need to opt out, but we honor any Global Privacy Control (GPC) signals your browser sends.
  • Right to limit use of sensitive personal information: We only use sensitive personal information (such as payment data) as necessary to perform our Services and do not use it for purposes beyond what is reasonably expected.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

To submit a CCPA/CPRA request, email privacy@scuto.ai with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.

Categories of Personal Information Collected (CCPA Disclosure)

In the preceding 12 months, we have collected the following categories of personal information: identifiers (name, email, IP address); commercial information (subscription and billing records); internet activity (usage data, browser type); professional information (company name, job title); and inferences drawn from the above (product preferences). We have not sold any categories of personal information.

15. Other Jurisdictions

Canada (PIPEDA)

If you are a Canadian resident, you have rights under the Personal Information Protection and Electronic Documents Act (PIPEDA), including the right to access, correct, and challenge the accuracy of your personal information. We process personal information only for purposes a reasonable person would consider appropriate in the circumstances, and we obtain meaningful consent for collection, use, and disclosure.

Australia (Privacy Act 1988)

If you are an Australian resident, we comply with the Australian Privacy Principles (APPs) under the Privacy Act 1988. You have the right to access and correct your personal information and to make complaints to the Office of the Australian Information Commissioner (OAIC).

Brazil (LGPD)

If you are a Brazilian resident, you have rights under the Lei Geral de Proteção de Dados (LGPD), including confirmation of processing, access, correction, anonymization, portability, deletion, and information about sharing. To exercise these rights, contact our DPO at privacy@scuto.ai.

16. Children's Privacy

Our Services are not directed to individuals under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without appropriate consent, we will delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@scuto.ai.

17. Third-Party Links

Our Services may contain links to third-party websites or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you interact with. This Privacy Policy applies only to our Services.

18. Data Processing Agreement

For customers who require a Data Processing Agreement (DPA) to comply with GDPR, UK GDPR, or other data protection regulations, we offer a pre-signed DPA that includes Standard Contractual Clauses. Our DPA covers the nature and purpose of processing, data categories, retention periods, security measures, sub-processor management, and data subject rights assistance.

Enterprise customers may request a custom DPA. To obtain a copy of our DPA, contact legal@scuto.ai.

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email (sent to the address associated with your account) or by posting a prominent notice on our website at least 30 days before the changes take effect. The "Last updated" date at the top of this policy indicates when it was most recently revised.

Your continued use of our Services after the effective date of a revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree with the revised policy, you should discontinue use of the Services and contact us to delete your account.

20. Self-Hosted & Air-Gapped Deployments

Scuto offers self-hosted and air-gapped deployment options for organizations that require complete control over their data. This section consolidates all privacy-relevant differences between SaaS and self-hosted deployments.

Data Processing

In a self-hosted deployment, all Customer Data — including scan results, vulnerability findings, credentials, configurations, and audit logs — remains entirely within your infrastructure. Scuto does not collect, receive, transmit, or have access to any of this data. The platform operates independently with zero outbound data connections.

Sub-Processors and Third Parties

Self-hosted deployments do not involve any Scuto sub-processors. All data processing occurs on your infrastructure using your own services. You are responsible for selecting and managing any third-party services your deployment depends on (e.g., cloud hosting, databases, monitoring).

International Transfers

Because Scuto has no access to your data in a self-hosted deployment, there are no international data transfers by Scuto. Any data transfers are under your organization's control and subject to your own data protection policies.

Data Retention

Data retention for self-hosted deployments is entirely under your control. You determine how long data is stored, when it is deleted, and how backups are managed. Scuto has no ability to access, delete, or modify your data.

Security Responsibilities

For self-hosted deployments, you are responsible for all security measures including encryption key management, network security, access controls, authentication, patching, and monitoring. Scuto provides hardened deployment artifacts (container images, Helm charts), security configuration guides, and ongoing security advisories, but has no access to your running instance or data.

Support and Diagnostics

When you contact Scuto for support, the only data Scuto receives is what you explicitly provide through support channels. We may request anonymized logs or configuration excerpts to diagnose issues, but this is always at your discretion. Scuto never has standing access to self-hosted environments.

21. Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, contact us using the following channels:

General privacy inquiries: privacy@scuto.ai

Legal and DPA requests: legal@scuto.ai

CCPA/CPRA requests: privacy@scuto.ai (subject line: "California Privacy Request")

If you are in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.