Learn how Breachsense protects the data it collects and the data you send us.
• All data is encrypted in transit and at rest. If you’re filling out a vendor security questionnaire, that’s the short answer.
• Only employees who need access for their job can see customer data. Nobody at Breachsense browses accounts casually.
• We don’t sell your data. Vendors we work with are contractually bound to the same standards.
• You own your data. Ask us to delete it anytime and we will.
If you’re evaluating Breachsense, you’ll want to know how we handle sensitive data. That’s a reasonable question for any vendor that processes breach intelligence.
This page covers how we process and protect both the monitoring data we collect and the information you provide through the platform.
Our privacy policy has the full legal language. This page explains the same concepts in plain terms.
Here’s what happens to your data once it reaches us.
Contents
How does Breachsense handle monitoring data?
Breachsense collects data from dark web sources and indexes it so you can search for your organization’s exposure. Here’s what that means in practice.
The data we collect, like leaked credentials from ransomware leak sites and infostealer channels, was already public before we touched it. Attackers published it. We index it so you can find out whether your data is in there.
You’ll see “encryption at rest” on vendor security questionnaires. Here’s what it means.
Encryption at rest means your data is encrypted while stored on disk, not just while it’s being transmitted. Even if someone gained physical access to the storage hardware, they couldn’t read the data without the encryption keys.
When you query the Breachsense API or dashboard, your request travels over TLS. The results come back encrypted too. The underlying data is encrypted at rest on our infrastructure.
Who can access customer data?
Only employees who need access for their job. We don’t have a setup where anyone at the company can browse customer accounts.
When you use the API, your queries are authenticated with your license key. That key is tied to your account and determines what you can access.
Security assessments often ask about access controls. Here’s the term you’ll see.
Role-based access control (RBAC) restricts system access based on a person’s role. Instead of giving everyone full access, each employee only sees what they need for their specific job function.
Third-party vendors we work with, like hosting providers and payment processors, are contractually bound to protect your data. They can’t use it for their own purposes.
How long is data retained?
We keep your account data and query history while your account is active. If you cancel or ask us to remove it, we do.
The dark web monitoring data in our database is different. That data was public before we indexed it. We retain it so you can search historical breaches, not just recent ones.
If you need specific data removed, contact us. We’ll handle it unless there’s a legal reason we can’t.
Does Breachsense share data with third parties?
We don’t sell your data. Period.
We work with vendors who help run the platform. Each one is held to security requirements and can only use your data to deliver their service to us.
Our privacy policy lists who we work with and what safeguards are in place.
What compliance standards does Breachsense follow?
Breachsense complies with GDPR and CCPA. That means you have the right to:
- Access your data and know what we’ve collected
- Correct inaccurate information
- Delete your data on request
- Export your data in a portable format
- Object to specific processing activities
If you’re running a vendor security assessment, contact us for additional details on our security controls.
What about the data I search for?
When you search for a domain or email address through Breachsense, that query is tied to your account. We use query data to provide the service and improve the platform. We don’t share your search queries with anyone.
Your monitoring configuration, like which domains you’re watching, is visible only to your account. Other customers can’t see what you’re monitoring.
For the full legal details, see our privacy policy. For questions about security assessments or compliance documentation, contact us.
Security and Data Handling FAQ
Breachsense stores compromised credentials that were already leaked publicly. We don’t store your current passwords. When you search for exposed credentials, you’re checking what attackers already have, not sharing anything new with us.
Yes. All data transmitted to and from Breachsense uses TLS. Data at rest is encrypted at the infrastructure level. This covers both our monitoring database and any information you provide through the platform.
Only employees who need it for their job. We don’t have open access to customer accounts. Vendors we work with are contractually required to meet our security standards.
Yes. Contact us and we’ll remove it. The only exception is data we’re legally required to keep.
No. We work with hosting providers and payment processors to run the platform, but they can’t use your data for their own purposes.
We keep your account data while your account is active. When you cancel or ask us to remove it, we do. Dark web monitoring data stays in our database because it was out there before we indexed it.
We monitor publicly accessible dark web sources including leak sites and hacker forums. Our methodology page explains the process in detail. We only index data that attackers have already published.