Privacy Policy
Introduction
WhiteHawk Security ("WhiteHawk," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. As a cybersecurity company, we hold ourselves to the highest standards of data protection — the same standards we help our clients achieve.
This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website (whitehawk.com), use our All-in-One cybersecurity platform, or interact with us through our marketing channels, including "Request a Demo" and "Start Free Trial" forms.
Our platform provides Offensive Security (vulnerability scanning and penetration testing), Defensive Security (real-time threat monitoring and incident response), Governance, Risk & Compliance (GRC), and Asset Management services. Given the sensitive nature of these operations, this policy specifically addresses how we handle both your personal data and your organizational system data.
By accessing our website or using our platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms herein, please discontinue use of our services immediately.
Information We Collect
We collect information through several channels, depending on your interaction with WhiteHawk:
2.1 Information You Provide Directly
Contact & Account Information: When you submit a "Request a Demo" or "Start Free Trial" form, we collect your full name, business email address, phone number, company name, job title, and company size.
Login Credentials: When you create a WhiteHawk platform account, we collect your email address and a securely hashed password. We also support single sign-on (SSO) authentication through third-party identity providers.
Payment Information: For subscription and transaction processing, we collect billing details. Payment card information is processed by our PCI DSS-compliant payment processor and is never stored on our servers.
Support Communications: Any information you provide when contacting our support team, including ticket content, email correspondence, and call recordings (with prior consent).
2.2 Information Collected Automatically
User Activity Logs: We record platform usage data including login timestamps, pages accessed, features used, scan configurations, and report generation activity. This data is used to deliver and improve our services.
Device & Browser Information: IP address, browser type, operating system, device identifiers, and referring URLs.
Cookies & Tracking Technologies: We use cookies, web beacons, and similar technologies to enhance your experience and gather analytical data. See Section 08 (Cookie Policy) for details.
2.3 Client System & Infrastructure Data
Given the nature of our cybersecurity services, WhiteHawk processes data related to your organization's IT infrastructure:
Vulnerability Scan Data: Information gathered during offensive security assessments, including open ports, software versions, configuration details, and identified vulnerabilities.
Asset Inventory Data: Hardware and software asset information, network topology data, and endpoint configurations collected through our Asset Management module.
Security Event Data: Logs, alerts, and telemetry data processed through our Defensive Security module for threat detection and incident response.
Compliance Data: Policy documents, audit evidence, risk assessments, and compliance status information managed within our GRC module.
How We Use Your Information
WhiteHawk processes your information for the following purposes, each grounded in a lawful basis under applicable data protection regulations:
Service Delivery
To provide our cybersecurity services, including vulnerability scanning, real-time threat monitoring, compliance reporting, and asset management. This constitutes the core performance of our contractual obligations.
Transaction Processing
To process subscriptions, manage billing cycles, issue invoices, and handle refund requests in accordance with our commercial agreements.
Security Alerts & Reports
To send critical security alerts, vulnerability notifications, compliance deadline reminders, and periodic security posture reports as part of our service.
Platform Improvement
To improve our threat detection algorithms, enhance platform performance, and develop new security features. Where possible, this is done using aggregated, anonymized data.
Communication
To respond to your inquiries, provide technical support, and send service-related notifications. Marketing communications are only sent with your explicit consent.
Legal & Compliance
To comply with applicable laws, regulations, and legal processes, and to enforce our Terms of Service and protect our rights and the rights of our users.
Data Sharing & Third Parties
WhiteHawk does not sell, rent, or trade your personal information or client system data. We share data only in the following limited circumstances:
4.1 Infrastructure & Service Providers
We engage trusted infrastructure providers to host and deliver our platform. These include Amazon Web Services (AWS) for cloud infrastructure and compute services, and Microsoft Azure for specific service integrations. All sub-processors are bound by strict data processing agreements (DPAs) that require them to protect your data at a level consistent with this policy and applicable laws.
4.2 Technology Partners
WhiteHawk integrates with technology partners such as Edraky and other cybersecurity ecosystem partners solely for the purpose of enhancing service delivery (e.g., threat intelligence feeds, vulnerability databases). Data shared with partners is limited to what is strictly necessary for service functionality.
4.3 Legal & Regulatory Disclosure
We may disclose information if required by law, regulation, subpoena, court order, or governmental request. We will notify affected clients of such disclosures to the extent legally permitted.
4.4 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will provide notice and, where applicable, offer choices before your data is transferred and becomes subject to a different privacy policy.
A current list of our sub-processors is available upon request. We will notify existing customers of any material changes to our sub-processor list at least 30 days in advance.
International Data Transfers
WhiteHawk operates globally and may transfer, store, and process your information in countries other than your country of residence. We are committed to ensuring that all international data transfers comply with applicable data protection laws.
GDPR Compliance (European Economic Area)
For users and clients in the European Economic Area (EEA), United Kingdom, and Switzerland, WhiteHawk processes personal data in compliance with the General Data Protection Regulation (GDPR). We ensure lawful transfer of data outside the EEA through:
Standard Contractual Clauses (SCCs): We execute EU-approved Standard Contractual Clauses with all sub-processors and data recipients located outside the EEA.
Adequacy Decisions: Where applicable, we transfer data to countries recognized by the European Commission as providing adequate data protection.
Data Sovereignty Options: Enterprise clients may request data residency within specific geographic regions. WhiteHawk supports EU-based data hosting through our AWS and Azure infrastructure.
Additional Regional Compliance
AICPA SOC 2 Type II: Our platform undergoes annual SOC 2 Type II audits, verifying that our security, availability, processing integrity, confidentiality, and privacy controls meet AICPA standards.
ISO 27001: WhiteHawk maintains ISO 27001 certification for our information security management system (ISMS), ensuring systematic management of sensitive company and customer information.
PCI DSS: All payment processing is handled in accordance with PCI DSS requirements, ensuring the secure handling of cardholder data.
Data Security & Retention
As a cybersecurity company, data security is not merely a compliance requirement — it is foundational to our identity. WhiteHawk implements comprehensive, defense-in-depth security measures to protect the data entrusted to us.
Encryption
All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. Database-level encryption and key management are handled through dedicated hardware security modules (HSMs).
Access Controls
Strict role-based access controls (RBAC) with mandatory multi-factor authentication (MFA) for all platform access. Privileged access is governed by just-in-time (JIT) provisioning.
Infrastructure Security
Our platform is hosted on SOC 2-certified cloud infrastructure with network segmentation, intrusion detection/prevention systems (IDS/IPS), and continuous security monitoring.
Security Operations
Our internal security team conducts regular penetration testing, vulnerability assessments, and security code reviews. Incident response procedures are tested quarterly.
Data Retention
Account Data: Retained for the duration of your active subscription, plus 90 days following account termination to facilitate data export requests.
Security Scan & Monitoring Data: Retained for a default period of 12 months, configurable by the client up to 36 months based on compliance requirements.
Compliance & Audit Data: Retained in accordance with applicable regulatory requirements, typically between 5 and 7 years.
Marketing Contact Data: Retained until you withdraw consent or request deletion, whichever occurs first.
Server Logs: Automatically purged after 180 days unless required for an active investigation or legal hold.
Your Rights & Choices
WhiteHawk respects your data privacy rights. Depending on your jurisdiction, you may have the following rights regarding your personal data:
Right of Access
You may request a copy of the personal data we hold about you, including information about how it is processed and to whom it has been disclosed.
Right to Rectification
You may request correction of inaccurate or incomplete personal data. You can also update most account information directly through the WhiteHawk platform.
Right to Erasure (Right to Be Forgotten)
You may request deletion of your personal data, subject to our legal obligations to retain certain records for compliance, tax, or contractual purposes.
Right to Data Portability
You may request that your personal data be provided to you in a structured, commonly used, and machine-readable format.
Right to Restrict Processing
You may request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
Right to Object
You may object to the processing of your personal data for direct marketing purposes or where processing is based on legitimate interests.
Opt-Out of Marketing Communications
You may opt out of receiving promotional emails at any time by:
- Clicking the "Unsubscribe" link in any marketing email.
- Updating your communication preferences in your WhiteHawk account settings.
- Contacting us at privacy@whitehawk.com.
Please note that opting out of marketing communications does not affect service-related notifications, such as security alerts and compliance reports, which are essential to the delivery of our platform.
To exercise any of these rights, please contact our Data Protection Officer at dpo@whitehawk.com. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). We may request verification of your identity before processing your request to protect against unauthorized access.
Cookie Policy
WhiteHawk uses cookies and similar tracking technologies to enhance your browsing experience, analyze site traffic, and personalize content.
You can manage your cookie preferences through your browser settings or through our cookie consent banner displayed on your first visit. For more information, please refer to our full Cookie Policy, accessible via the cookie settings link in the website footer.
Changes to This Policy
WhiteHawk reserves the right to update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or business operations.
When we make material changes to this policy, we will:
- Update the "Last Updated" date at the top of this page.
- Provide prominent notice on our website (e.g., a banner notification).
- For material changes affecting existing clients, send email notification at least 30 days prior to the changes taking effect.
- Where required by applicable law, obtain your consent before implementing changes that affect the processing of your personal data.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through any of the following channels:
EU Representative: If you are located in the European Economic Area and wish to exercise your rights under the GDPR, you may also contact our designated EU representative at eu-representative@whitehawk.com
If you believe that your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.