ShadowTrackr

Fully European company · Data stored in Germany · BIO2 & GDPR compliant

Security & Trust

ShadowTrackr is a cybersecurity product. Our customers trust us with visibility into their most sensitive infrastructure. We hold ourselves to the same standard we help them achieve.

This page explains how we protect your data and our platform. If you have questions not answered here, contact us at .

Infrastructure & Data Hosting

All customer data is stored in Germany.

Our core infrastructure runs on servers operated by Hetzner Online GmbH, a fully German-owned company headquartered in Gunzenhausen, Germany. Hetzner operates data centres under German law and EU regulation.

Scanner nodes are placed globally to perform external-perspective scanning — the same view an attacker has. These nodes:

Encryption

ContextStandard
Data in transit (web, API)TLS 1.2 minimum, TLS 1.3 preferred
Data in transit (scanner nodes → core)TLS with certificate pinning
Data at rest (core infrastructure)AES-256
Scanner node storageAES-256 full-disk encryption
BackupsEncrypted with AES-256, stored in Germany

We score ourselves on the same SSL Labs / TLS grading criteria we use to grade your certificates. We aim for an A+ on all endpoints.

Authentication & Access Control

Customer authentication

Internal access controls

ShadowTrackr staff may access customer data for support and development purposes. Because ShadowTrackr works exclusively with data found on or derived from the external attack surface, this data does not typically contain privacy-sensitive information. Access to customer account details and financial data is restricted to authorised internal staff on a need-to-know basis.

No AI in Your Data

ShadowTrackr does not use AI agents, large language models or automated profiling on your data. Your asset data is not used to train machine learning models, fed to third-party AI APIs or processed for any purpose other than delivering the ShadowTrackr service to you.

No Tracking

We use only functional cookies — strictly necessary to manage your login session. We do not use Google Analytics, Meta Pixel, advertising networks or any third-party tracking technology. You can verify this with any browser developer tools or network inspector.

Vulnerability Management

We practice what we preach:

Responsible Disclosure

We welcome reports from security researchers. If you find a vulnerability in any ShadowTrackr system, please email with:

Scope:

Out of scope: social engineering, physical attacks, denial-of-service testing.

Safe harbour: researchers who follow responsible disclosure and do not access, modify or exfiltrate user data will not face legal action. We will acknowledge your report within 3 business days and keep you updated on our remediation progress.

We do not currently operate a paid bug bounty programme, but we will thank you publicly (if you want) and may offer account credit for significant findings.

Compliance

Enterprise and government customers can request our current compliance documentation by emailing .

Built on certified infrastructure
ShadowTrackr runs on EU-based infrastructure operated by providers independently audited to the highest security standards. Our core platform runs on Hetzner (ISO 27001:2022, BSI C5 Type 2, KRITIS §8a), and our distributed scanner network runs on Akamai Cloud (ISO 27001, SOC 2 Type 2, BSI C5). This means the physical, network, and hypervisor layers of our platform meet standards required by EU government and critical infrastructure procurement frameworks.

ShadowTrackr itself does not have an ISO 27001 certificate yet, we're building toward that. Our infrastructure providers are already certified, and we're implementing ISO-aligned controls internally. We expect to pursue certification as the business scales.

Data Processing Agreements

We offer Data Processing Agreements (DPAs) under Art. 28 GDPR for customers who need them for their own compliance obligations. Contact to request a DPA.

Data Retention & deletion

Customer data is retained for the duration of the active subscription and used solely to deliver the ShadowTrackr service.

After account closure, customer data enters a 30-day grace period. All data remains accessible for export via the dashboard or API. After 30 days, all customer data is permanently deleted from production systems, backups, and scanner nodes. Deletion is irreversible.

After deletion: Invoices, billing records, and associated account details are retained for 7 years (Art. 52 EU VAT Directive)

No asset data, scan results, alerts, reports, or API keys are retained after deletion.


Deletion on request — customers may request immediate deletion at any time by contacting privacy@shadowtrackr.com. We confirm deletion in writing within 5 business days (GDPR Art. 17).

Backups are retained on a 30-day rolling basis. Deleted data is fully purged from all backups within 30 days of deletion.

Scanner nodes do not retain customer data. Results are transmitted immediately to core infrastructure — there is no secondary copy to delete.

Incident Response

In the event of a security incident affecting customer data, we will:

  1. Notify affected customers within 72 hours of becoming aware (in line with GDPR Art. 33)
  2. Provide details of what data was affected, how, and what we are doing about it
  3. Report to the relevant supervisory authority as required

Questions

for security questions.
for data protection and GDPR questions.
for everything else.