Our Portal

Privacy Policy

Last Updated: 10th April 2026

1. Introduction

Pentesys Ltd (“Pentesys”, “we”, “us”, “our”) is a cybersecurity services provider delivering penetration testing, red teaming, threat-led testing, attack surface monitoring, and platform-based security services (including “Mirage”).

Due to the nature of our services, we may process sensitive technical, security, and operational data, including limited personal data contained within client systems.

We are committed to protecting personal data and handling all information in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Applicable information security and confidentiality standards

This Privacy Policy explains how we collect, use, disclose, and protect personal data across all services.

2. Data Controller and Processor Roles

Depending on the service:

  • Pentesys acts as a Data Controller for:
    • Website visitors
    • Marketing and business contacts
    • Platform account management
  • Pentesys acts as a Data Processor for:
    • Client data processed during security testing
    • Platform data hosted on behalf of clients
    • Vulnerability, log, and system data within client environments

Where acting as a processor, we process data strictly in accordance with client instructions and contractual agreements.

3. Categories of Personal Data

3.1 Business and Contact Data

  • Name, job title, organisation
  • Email address, phone number
  • Communication records and correspondence

3.2 Technical and Usage Data

  • IP addresses and network identifiers
  • Device, browser, and session data
  • Platform access logs and audit trails

3.3 Security Testing Data (Client Environments)

Due to the nature of cybersecurity services, we may process:

  • User account identifiers and directory data (e.g. usernames, emails)
  • Authentication artefacts (e.g. hashes, tokens, session data)
  • System and application logs
  • Vulnerability data that may reference user accounts
  • Evidence data captured during testing (e.g. screenshots, outputs)

Important:
Pentesys does not intentionally collect personal data, but such data may be encountered incidentally during authorised testing activities.

3.4 Sensitive Data Handling

We do not intentionally process special category data. If encountered during testing:

  • Processing is strictly limited to what is necessary
  • Data is handled with enhanced security controls
  • Exposure is minimised and reported appropriately

4. Purpose of Processing

We process personal data strictly for legitimate and defined purposes:

  • Delivering contracted cybersecurity services
  • Identifying, validating, and reporting security vulnerabilities
  • Providing access to and operating the Mirage platform
  • Maintaining system security, monitoring, and logging
  • Communicating with clients and stakeholders
  • Complying with legal, regulatory, and contractual obligations

We do not use client data for marketing or unrelated purposes.

5. Lawful Basis for Processing

We rely on the following legal bases:

  • Contractual Necessity – delivering agreed services
  • Legitimate Interests – maintaining security, improving services, preventing fraud
  • Legal Obligation – compliance with applicable laws
  • Consent – where required (e.g. marketing communications)

For security testing, processing is typically justified under legitimate interests and contractual necessity, combined with explicit client authorisation.

6. Security Testing and Data Minimisation

Pentesys operates under strict data minimisation principles:

  • Only data necessary to validate security issues is accessed
  • Testing is conducted within agreed scope and authorisation
  • Evidence collection is limited to what is required for reporting
  • Data exposure is minimised wherever possible

We apply controlled, ethical, and proportionate testing methodologies aligned with industry standards (e.g. OWASP, NIST, CREST, TIBER-EU where applicable).

7. Data Sharing and Subprocessors

We may share personal data with:

  • Approved infrastructure providers (e.g. cloud hosting providers)
  • Security tooling providers required to deliver services
  • Professional advisers (legal, audit, compliance)
  • Regulatory or law enforcement authorities (where legally required)

All subprocessors are subject to:

  • Due diligence and security assessment
  • Contractual data protection obligations
  • Confidentiality requirements

A list of subprocessors can be provided upon request.

8. International Transfers

Where data is transferred outside the UK:

  • Transfers are limited and controlled
  • Appropriate safeguards are implemented, including:
    • UK International Data Transfer Agreements (IDTA)
    • Standard Contractual Clauses (SCCs)

9. Data Retention

We retain data only as long as necessary:

  • Client data: retained in line with contractual agreements
  • Security findings and reports: retained for audit and reference purposes
  • Platform data: retained based on subscription and configuration

Secure deletion processes are applied when data is no longer required.

10. Data Security Measures

Pentesys implements enterprise-grade security controls, including:

  • Encryption of data in transit (TLS 1.2+)
  • Encryption at rest where applicable
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Secure logging and monitoring
  • Network segmentation and access restrictions
  • Secure development lifecycle practices

Access to client data is strictly limited to authorised personnel on a need-to-know basis.

11. Confidentiality of Security Data

Security findings, vulnerabilities, and testing outputs are treated as highly sensitive.

Pentesys:

  • Restricts access to authorised personnel only
  • Ensures secure storage and transmission of reports
  • Does not disclose findings without client consent unless legally required

Clients are responsible for managing and protecting distributed reports.

12. Platform (Mirage) Data Handling

For platform services:

  • Data is logically segregated between tenants
  • Access is controlled via authentication and authorisation mechanisms
  • Audit logs are maintained for security and accountability
  • Clients are responsible for managing user access within their organisation

We implement controls to prevent unauthorised cross-tenant access.

13. Data Breach Management

In the event of a personal data breach:

  • Incidents are identified, assessed, and contained promptly
  • Clients are notified without undue delay where applicable
  • Regulatory notifications are made in accordance with UK GDPR
  • Remediation actions are implemented to prevent recurrence

14. Your Rights

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure (subject to legal and contractual limitations)
  • Restrict or object to processing
  • Request data portability

Requests can be made via enquiries@pentesys.com.

Where Pentesys acts as a processor, requests may be directed to the relevant client.

15. Cookies and Website Tracking

We use cookies and similar technologies to:

  • Ensure website functionality
  • Analyse usage and performance
  • Improve user experience

Users can manage cookie preferences via browser settings.

16. Third-Party Links

Our Website may contain links to third-party websites. We are not responsible for their privacy practices.

17. No Unauthorised Use of Data

Pentesys does not:

  • Sell personal data
  • Use client data for advertising or profiling
  • Exploit security findings for any purpose outside authorised engagements

18. Changes to This Policy

We may update this Privacy Policy periodically. Updates will be published on this page.

19. Regulatory Authority

If you have concerns, you may contact:

Information Commissioner’s Office (ICO)
https://ico.org.uk

20. Contact

Pentesys Ltd
Website: https://pentesys.com
Email: enquiries@pentesys.com