ConformScan
LoginStart Free
TermsPrivacyDPAImpressumSecurity

Privacy Policy

We take your privacy seriously. This policy explains exactly what data we collect, why, and how we protect it.

Last updated: March 11, 2026

This Privacy Policy is provided in English and German. In case of conflict, the German version prevails for users in Germany.

1. Controller

The controller responsible for data processing is:

ConformScan
Soukeina Hane
2 Place de Port au Prince
75013 Paris, France
Email: [email protected]

2. Data We Collect

2.1 Account Data

When you register, we collect:

  • Email address
  • Hashed password (bcrypt, never stored in plain text)
  • Company name (optional)
  • Selected plan and billing information (processed by Stripe)

2.2 Scan Data

When you run a compliance scan, we process:

  • Cloud account identifier (AWS Account ID or Azure Subscription ID)
  • Cloud resource configuration metadata (read-only, no content data)
  • Compliance check results (pass/fail status per check)
  • Scan timestamps and compliance scores

We do NOT collect: the contents of S3 objects, database records, secrets, access keys, or any user data stored in your cloud resources. We only read infrastructure configuration metadata.

2.3 Usage Data

We collect minimal usage data:

  • IP address (for rate limiting and security, not tracked)
  • Browser user-agent (for compatibility)
  • Pages visited and feature usage (no third-party analytics)

2.4 Cookies

We use only strictly necessary cookies:

  • Authentication token — stored in localStorage, required for the application to function
  • Cookie consent — remembers your cookie preference
  • Language preference — remembers your language selection

We do not use tracking cookies, advertising cookies, or third-party analytics (no Google Analytics, no Facebook Pixel, no Hotjar).

  • Contract performance (Art. 6(1)(b)): Processing account and scan data to provide the Service
  • Legitimate interest (Art. 6(1)(f)): Security measures, fraud prevention, service improvement
  • Consent (Art. 6(1)(a)): Marketing emails (opt-in only)
  • Legal obligation (Art. 6(1)(c)): Tax and accounting records

4. Data Storage and Security

All data is stored on servers operated by Netcup GmbH in Karlsruhe, Germany. We implement the following security measures:

  • AES-256 encryption at rest for all database data
  • TLS 1.3 encryption for all data in transit
  • Passwords hashed with bcrypt (cost factor 12)
  • API keys hashed before storage
  • Regular security updates and patching

5. Subprocessors

We use the following subprocessors:

ProviderPurposeLocation
Netcup GmbHServer hostingGermany
CloudflareDNS resolution (no proxy)EU
StripePayment processingEU (Ireland)
Poste.io (self-hosted)Transactional emailGermany (our server)

No US-based subprocessors. Your data never leaves the European Union.

6. Data Retention

  • Account data: Retained until account deletion
  • Scan results: Retained until account deletion or manual deletion by user
  • Server logs: Automatically deleted after 30 days
  • Billing data: Retained for 10 years as required by German tax law (§ 147 AO)

Upon account deletion, all personal data and scan results are permanently erased within 24 hours, except where retention is legally required.

7. Your Rights (GDPR Art. 15–22)

You have the right to:

  • Access (Art. 15): Request a copy of all personal data we hold about you
  • Rectification (Art. 16): Correct inaccurate personal data
  • Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
  • Data portability (Art. 20): Export your data in a machine-readable format (JSON)
  • Restriction (Art. 18): Restrict processing of your data
  • Objection (Art. 21): Object to processing based on legitimate interest
  • Withdraw consent (Art. 7): Withdraw previously given consent at any time

To exercise these rights, contact us at [email protected]. We will respond within 30 days.

8. Right to Complain

You have the right to lodge a complaint with a supervisory authority. The competent supervisory authority is: Die Landesbeauftragte für den Datenschutz und die Informationsfreiheit des zuständigen Bundeslandes.

9. Data Processing Agreement

If you process personal data using ConformScan on behalf of third parties (e.g., scanning client cloud accounts as a managed service provider), a Data Processing Agreement (DPA) pursuant to GDPR Article 28 is required. Our standard DPA is available at /dpa.

10. Changes

We may update this Privacy Policy from time to time. We will notify registered users via email of material changes at least 14 days before they take effect.

Datenschutzerklärung

1. Verantwortlicher

Verantwortlich für die Datenverarbeitung ist: ConformScan, Soukeina Hane, 2 Place de Port au Prince, 75013 Paris, France. E-Mail: [email protected]

2. Erhobene Daten

Bei der Registrierung erheben wir: E-Mail-Adresse, gehashtes Passwort (nie im Klartext gespeichert), optional Firmenname. Bei Scans verarbeiten wir: Cloud-Account-ID, Konfigurationsmetadaten (nur lesend), Prüfergebnisse (bestanden/nicht bestanden), Scan-Zeitstempel.

Wir erheben NICHT: Inhalte von S3-Objekten, Datenbankeinträge, Secrets, Zugriffsschlüssel oder Nutzerdaten in Ihren Cloud-Ressourcen.

3. Rechtsgrundlage (DSGVO Art. 6)

Vertragserfüllung (Art. 6(1)(b)), berechtigtes Interesse (Art. 6(1)(f)), Einwilligung (Art. 6(1)(a)) für Marketing-E-Mails, gesetzliche Pflicht (Art. 6(1)(c)) für Steuerunterlagen.

4. Speicherung und Sicherheit

Alle Daten werden auf Servern der Netcup GmbH in Karlsruhe, Deutschland gespeichert. Verschlüsselung: AES-256 at rest, TLS 1.3 in transit. Passwörter mit bcrypt gehasht. Keine US-Unterauftragsverarbeiter.

5. Aufbewahrung

Kontodaten bis zur Löschung. Scan-Ergebnisse bis zur Löschung. Server-Logs nach 30 Tagen gelöscht. Abrechnungsdaten 10 Jahre (§ 147 AO).

6. Ihre Rechte

Sie haben das Recht auf Auskunft (Art. 15), Berichtigung (Art. 16), Löschung (Art. 17), Datenübertragbarkeit (Art. 20), Einschränkung (Art. 18), Widerspruch (Art. 21) und Widerruf der Einwilligung (Art. 7). Kontakt: [email protected]

7. Beschwerderecht

Sie haben das Recht, sich bei einer Datenschutz-Aufsichtsbehörde zu beschweren.

8. Cookies

Wir verwenden ausschließlich technisch notwendige Cookies (Authentifizierung, Spracheinstellung, Cookie-Zustimmung). Keine Tracking-Cookies, kein Google Analytics, kein Facebook Pixel.