Privacy Policy

Effective July 6, 2026 · v2026-07-06

1. Who We Are

Vexera ApS ("Vexera", "we", "us") provides an AI-driven penetration testing platform that performs authorized security testing of customer systems and reports the results. We are a Danish company, registered under CVR number 46442350, with registered address at Fuglegårdsvej 36D, 2820 Gentofte, Denmark.

For the processing described in this policy, Vexera ApS is the data controller within the meaning of the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (databeskyttelsesloven). Questions about this policy or about how we handle personal data can be sent to privacy@vexera.ai.

This policy covers our public website (vexera.ai), the Vexera platform, and our communication with customers, prospects, suppliers, event contacts, and anyone else who interacts with us.

2. Controller and Processor Roles

Vexera acts in two distinct roles, and which one applies matters for your rights.

We act as a data controller for the data we decide how and why to process: your account, billing, security logs, support conversations, and marketing. That processing is what this policy describes.

We act as a data processor when we test a customer's systems. Code, HTTP traffic, configuration, screenshots, and other scan evidence from a customer's environment can incidentally contain personal data (for example names or email addresses stored in application data). We process that data only on the customer's documented instructions under a data processing agreement (DPA), and the customer's own privacy policy governs it.

If your personal data appears in a customer's systems that we have tested, that customer is the controller, and you should direct requests about your data to them. We assist the customer in handling such requests as required by the DPA.

3. Information We Collect

What we collect depends on how you interact with us. We aim to collect only what we need to run the service.

A. Information you provide to us

  • Account data: your name, work email address, password (stored as a salted hash, never in plain text), role, organization membership, and two-factor authentication settings.
  • Communications: when you request a demo, contact support, report a security issue, or otherwise write to us, we receive your name, email address, company, and the content of your messages.
  • Billing data: billing contact details, company name, VAT or company registration numbers, and transaction records. Card details are entered directly with our payment provider Stripe; we never see or store full card numbers.
  • Scan configuration: the targets, scope definitions, and rules of engagement you set up, and any credentials you supply for authenticated testing. Credentials are stored encrypted and are used only for the engagement they were provided for.
  • Marketing, surveys, and events: if you subscribe to updates, answer a survey, or meet us at a conference or other event, we collect the contact details and responses you choose to share with us.

B. Information collected automatically

When you use the website or the platform, we automatically record the technical data needed to keep the service secure and working:

  • IP address, browser type, operating system, and device information.
  • Authentication events (logins, logouts, failed attempts), session identifiers, and two-factor challenges.
  • Audit logs of administrative actions, such as inviting a member, changing a role, or starting a scan, kept so organizations can review who did what.
  • Error and performance data collected through our error tracking (Sentry), with personal data scrubbed before it is stored.

We do not run advertising trackers or third-party analytics on the website or the platform, and we do not track you across other sites.

C. Information from other sources

  • From your organization: if an administrator invites you to Vexera, we receive your name, work email address, and assigned role from them.
  • From our payment provider: confirmation of payment status and the billing details needed to reconcile invoices.
  • From public sources: publicly available business contact information, used only to prepare or follow up on a commercial dialogue.

4. How We Use Your Information

We only process personal data where the GDPR gives us a legal basis to do so. The table below maps each purpose to its basis.

PurposeExamplesLegal basis
Providing the serviceCreating accounts, authentication, running scans, delivering reports, supportArt. 6(1)(b), contract
Security and abuse preventionSecurity logs, audit trails, rate limiting, fraud detectionArt. 6(1)(f), legitimate interest
Billing and accountingInvoicing, payment records, bookkeepingArt. 6(1)(b) and 6(1)(c), Danish Bookkeeping Act
Sales and customer dialogueAnswering inquiries, onboarding, contract managementArt. 6(1)(b) or 6(1)(f)
MarketingNewsletters and product updates by emailArt. 6(1)(a), consent
Event and survey follow-upFollowing up on a conversation from a conference or event, or on a survey you took part inArt. 6(1)(f), legitimate interest
Legal compliance and claimsResponding to lawful requests, establishing or defending legal claimsArt. 6(1)(c) or 6(1)(f)

Where we rely on legitimate interest, we have weighed our interest against your rights and freedoms, and you can object at any time (see Your Rights below). Email marketing is only sent with your prior consent, as required by section 10 of the Danish Marketing Practices Act, and every marketing email includes an unsubscribe link. Opting out of marketing does not stop transactional emails about your account, security, or billing.

Within an organization, other members can see your name, email address, and role, and administrators can review audit logs of actions taken in the organization. This is part of how the platform works and is covered by the contract basis above.

We may create de-identified and aggregated data, for example vulnerability statistics across many scans, that can no longer be linked to you or any other person. Such data is no longer personal data; we use it for research, benchmarking, and improving the service.

We do not sell personal data, and we do not use it for advertising.

5. AI-Assisted Processing

Vexera's scanning engine uses large language models to analyze code, traffic, and application behavior. During a scan, technical context (code snippets, HTTP requests and responses, configuration, findings) is submitted to the AI model providers listed in the subprocessor tables below. Model inference for scans runs on EU infrastructure.

Our agreements with model providers prohibit using this data to train their models and limit how long they may retain it. We also minimize what is sent: prompts are built from the technical context a scan needs, and we work to strip personal data from them where it is not relevant to the security analysis.

We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals within the meaning of GDPR Article 22. Scan findings describe systems, not people, and reports are reviewed by the customer before any action is taken.

6. Subprocessors

We use a small set of vendors (subprocessors) to run Vexera. Each one is bound by a data processing agreement, and we notify customers before adding or replacing a vendor on this list, as set out in our DPA. The live list, including each vendor's security certifications, is maintained at trust.vexera.ai.

AI model providers

SubprocessorPurposeLocation
Microsoft AzureAI model inference for vulnerability analysisEU
Google CloudAI model inference for vulnerability analysisEU

Infrastructure and hosting

SubprocessorPurposeLocation
Google CloudConfidential sandboxes and cloud hostingEU
dataforest GmbHCloud hostingEU (Frankfurt)
MongoDB, Inc.Primary application databaseEU (Frankfurt)
Redis Ltd.Job queues, caching, and session managementEU (Frankfurt)
Cloudflare, Inc.DDoS protection, WAF, domain management, and object storageEU

Payments

SubprocessorPurposeLocation
Stripe Payments Europe, Ltd.Payment processing and invoicingEU (Dublin)

Monitoring

SubprocessorPurposeLocation
Functional Software, Inc. (Sentry)Error tracking and performance monitoringEU

Email

SubprocessorPurposeLocation
Proton AGEmail infrastructureSwitzerland

Automation

SubprocessorPurposeLocation
Celonis Inc.Workflow automationEU

7. Other Disclosures

Beyond subprocessors, we disclose personal data only in a few situations:

  • Inside your organization: members of your organization can see your name, email address, and role, and administrators can see audit logs of actions taken in the organization.
  • Professional advisers: lawyers, accountants, and auditors, where needed and under confidentiality obligations.
  • Authorities: where we are legally required to, for example by a court order or under Danish accounting and tax law.
  • To protect us or others: where we believe in good faith it is necessary to enforce our agreements, collect amounts owed to us, or protect the rights, property, or safety of Vexera, our customers, or others.
  • Corporate transactions: if Vexera is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We would ensure the receiving party remains bound by obligations consistent with this policy and notify you where the law requires it.

8. International Transfers

Vexera's infrastructure is configured to store and process data in the EU. Our databases, job queues, object storage, hosting, and AI model inference all run in EU regions, as shown in the subprocessor tables above.

Our email infrastructure runs with Proton AG in Switzerland, a country the European Commission has recognized as providing adequate data protection under GDPR Article 45, so no additional safeguards are needed for that transfer.

Some of our vendors have parent companies outside the EU/EEA. Where personal data could be transferred to, or accessed from, a third country (for example vendor support access from the United States), we rely on the European Commission's Standard Contractual Clauses, carry out transfer impact assessments, and apply supplementary measures such as encryption. Contact privacy@vexera.ai for more information about the safeguards applied to a specific vendor.

9. Data Retention

We keep personal data only as long as the purpose it was collected for requires, or as long as the law obliges us to. After that, it is deleted or anonymized.

DataHow long we keep it
Account and profile dataWhile your account is active; deleted when the account is terminated, unless a legal obligation requires longer
Source code and repository contents fetched for a scanDeleted when the scan completes
Scan reports and findingsAvailable for the duration of your subscription; deleted on account termination
Security and audit logsUp to 24 months, then deleted or anonymized
Accounting records5 years from the end of the financial year they relate to, as required by the Danish Bookkeeping Act
Support and sales correspondenceUp to 3 years after the dialogue ends, in line with the general Danish limitation period for claims (forældelsesloven)

If a legal claim or an investigation requires it, we may keep specific data longer than the periods above, limited to what the matter actually requires.

10. How We Protect Your Data

Security is our product, and we apply the same standards to ourselves. Our measures include:

  • Encryption in transit (TLS) and at rest for all stores that hold personal data.
  • Role-based access control, least-privilege access, and two-factor authentication.
  • Audit logging of administrative and security-relevant actions.
  • Isolated, single-use sandboxes for scan execution, destroyed after each engagement.
  • Scrubbing of personal data from error tracking before storage.
  • Documented incident response procedures.

No system is perfectly secure, which is why we design for containment and detection as well as prevention. If a personal data breach occurs, we notify the Danish Data Protection Agency (Datatilsynet) without undue delay and, where feasible, within 72 hours, as required by GDPR Article 33. We notify affected individuals directly when the breach is likely to result in a high risk to them (Article 34).

11. Your Rights

When Vexera is the controller of your personal data, the GDPR gives you the following rights:

  • Access (Article 15): get a copy of the personal data we hold about you.
  • Rectification (Article 16): have inaccurate or incomplete data corrected.
  • Erasure (Article 17): have your data deleted, subject to legal retention duties such as bookkeeping.
  • Restriction (Article 18): have processing limited while a dispute or verification is pending.
  • Portability (Article 20): receive data you provided to us in a structured, machine-readable format.
  • Objection (Article 21): object to processing based on legitimate interest. For direct marketing the right to object is absolute; we stop immediately.
  • Withdraw consent: where processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.

To exercise any of these rights, email privacy@vexera.ai. We may need to verify your identity before acting on a request. We respond without undue delay and at the latest within one month; for complex requests we may extend by up to two further months, and we will tell you if we do. Exercising your rights is free of charge, and you will not be treated differently for doing so.

If your data appears in scan data we process on behalf of a customer, please contact that customer, since they are the controller. We will assist them in answering your request.

12. Cookies

We only set cookies that are strictly necessary for the service to work: keeping you signed in, securing your session, and protecting forms against cross-site request forgery. We set no advertising, analytics, or cross-site tracking cookies.

Under the Danish Cookie Order (cookiebekendtgørelsen), strictly necessary cookies do not require consent, which is why you do not see a cookie banner on our site. If we ever introduce cookies that require consent, we will ask before setting them.

13. Third-Party Links

The website, the platform, and our reports may contain links to third-party websites, tools, and services that we do not control, for example vendor advisories or reference material about a vulnerability. Their own privacy policies apply, and we are not responsible for their practices or content.

14. Children

Vexera is a business service, is not directed at children, and does not knowingly collect personal data from anyone under 18; if we learn that we have, we delete it.

15. Complaints

If you are unhappy with how we handle your personal data, contact us at privacy@vexera.ai first; most issues can be resolved directly.

You also have the right to lodge a complaint with the Danish Data Protection Agency: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, phone +45 33 19 32 00, dt@datatilsynet.dk, www.datatilsynet.dk. If you live or work in another EU/EEA country, you can complain to the supervisory authority there instead.

16. Changes to This Policy

We update this policy when our processing, our vendors, or the law changes. Each version carries a version number and an effective date, shown at the top of this page.

For material changes, we notify account holders by email or in the platform before the change takes effect, and we ask you to review the updated policy the next time you sign in. Earlier versions are available on request.

17. Contact

Vexera ApS (CVR 46442350)

Fuglegårdsvej 36D, 2820 Gentofte, Denmark

privacy@vexera.ai

© 2026 Vexera ApS