1. Who We Are
Vexera ApS ("Vexera", "we", "us") provides an AI-driven penetration testing platform that performs authorized security testing of customer systems and reports the results. We are a Danish company, registered under CVR number 46442350, with registered address at Fuglegårdsvej 36D, 2820 Gentofte, Denmark.
For the processing described in this policy, Vexera ApS is the data controller within the meaning of the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (databeskyttelsesloven). Questions about this policy or about how we handle personal data can be sent to privacy@vexera.ai.
This policy covers our public website (vexera.ai), the Vexera platform, and our communication with customers, prospects, suppliers, event contacts, and anyone else who interacts with us.
2. Controller and Processor Roles
Vexera acts in two distinct roles, and which one applies matters for your rights.
We act as a data controller for the data we decide how and why to process: your account, billing, security logs, support conversations, and marketing. That processing is what this policy describes.
We act as a data processor when we test a customer's systems. Code, HTTP traffic, configuration, screenshots, and other scan evidence from a customer's environment can incidentally contain personal data (for example names or email addresses stored in application data). We process that data only on the customer's documented instructions under a data processing agreement (DPA), and the customer's own privacy policy governs it.
If your personal data appears in a customer's systems that we have tested, that customer is the controller, and you should direct requests about your data to them. We assist the customer in handling such requests as required by the DPA.
3. Information We Collect
What we collect depends on how you interact with us. We aim to collect only what we need to run the service.
A. Information you provide to us
- Account data: your name, work email address, password (stored as a salted hash, never in plain text), role, organization membership, and two-factor authentication settings.
- Communications: when you request a demo, contact support, report a security issue, or otherwise write to us, we receive your name, email address, company, and the content of your messages.
- Billing data: billing contact details, company name, VAT or company registration numbers, and transaction records. Card details are entered directly with our payment provider Stripe; we never see or store full card numbers.
- Scan configuration: the targets, scope definitions, and rules of engagement you set up, and any credentials you supply for authenticated testing. Credentials are stored encrypted and are used only for the engagement they were provided for.
- Marketing, surveys, and events: if you subscribe to updates, answer a survey, or meet us at a conference or other event, we collect the contact details and responses you choose to share with us.
B. Information collected automatically
When you use the website or the platform, we automatically record the technical data needed to keep the service secure and working:
- IP address, browser type, operating system, and device information.
- Authentication events (logins, logouts, failed attempts), session identifiers, and two-factor challenges.
- Audit logs of administrative actions, such as inviting a member, changing a role, or starting a scan, kept so organizations can review who did what.
- Error and performance data collected through our error tracking (Sentry), with personal data scrubbed before it is stored.
We do not run advertising trackers or third-party analytics on the website or the platform, and we do not track you across other sites.
C. Information from other sources
- From your organization: if an administrator invites you to Vexera, we receive your name, work email address, and assigned role from them.
- From our payment provider: confirmation of payment status and the billing details needed to reconcile invoices.
- From public sources: publicly available business contact information, used only to prepare or follow up on a commercial dialogue.
4. How We Use Your Information
We only process personal data where the GDPR gives us a legal basis to do so. The table below maps each purpose to its basis.
| Purpose | Examples | Legal basis |
|---|---|---|
| Providing the service | Creating accounts, authentication, running scans, delivering reports, support | Art. 6(1)(b), contract |
| Security and abuse prevention | Security logs, audit trails, rate limiting, fraud detection | Art. 6(1)(f), legitimate interest |
| Billing and accounting | Invoicing, payment records, bookkeeping | Art. 6(1)(b) and 6(1)(c), Danish Bookkeeping Act |
| Sales and customer dialogue | Answering inquiries, onboarding, contract management | Art. 6(1)(b) or 6(1)(f) |
| Marketing | Newsletters and product updates by email | Art. 6(1)(a), consent |
| Event and survey follow-up | Following up on a conversation from a conference or event, or on a survey you took part in | Art. 6(1)(f), legitimate interest |
| Legal compliance and claims | Responding to lawful requests, establishing or defending legal claims | Art. 6(1)(c) or 6(1)(f) |
Where we rely on legitimate interest, we have weighed our interest against your rights and freedoms, and you can object at any time (see Your Rights below). Email marketing is only sent with your prior consent, as required by section 10 of the Danish Marketing Practices Act, and every marketing email includes an unsubscribe link. Opting out of marketing does not stop transactional emails about your account, security, or billing.
Within an organization, other members can see your name, email address, and role, and administrators can review audit logs of actions taken in the organization. This is part of how the platform works and is covered by the contract basis above.
We may create de-identified and aggregated data, for example vulnerability statistics across many scans, that can no longer be linked to you or any other person. Such data is no longer personal data; we use it for research, benchmarking, and improving the service.
We do not sell personal data, and we do not use it for advertising.
5. AI-Assisted Processing
Vexera's scanning engine uses large language models to analyze code, traffic, and application behavior. During a scan, technical context (code snippets, HTTP requests and responses, configuration, findings) is submitted to the AI model providers listed in the subprocessor tables below. Model inference for scans runs on EU infrastructure.
Our agreements with model providers prohibit using this data to train their models and limit how long they may retain it. We also minimize what is sent: prompts are built from the technical context a scan needs, and we work to strip personal data from them where it is not relevant to the security analysis.
We do not use personal data for automated decision-making that produces legal or similarly significant effects on individuals within the meaning of GDPR Article 22. Scan findings describe systems, not people, and reports are reviewed by the customer before any action is taken.
6. Subprocessors
We use a small set of vendors (subprocessors) to run Vexera. Each one is bound by a data processing agreement, and we notify customers before adding or replacing a vendor on this list, as set out in our DPA. The live list, including each vendor's security certifications, is maintained at trust.vexera.ai.
AI model providers
| Subprocessor | Purpose | Location |
|---|---|---|
| Microsoft Azure | AI model inference for vulnerability analysis | EU |
| Google Cloud | AI model inference for vulnerability analysis | EU |
Infrastructure and hosting
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud | Confidential sandboxes and cloud hosting | EU |
| dataforest GmbH | Cloud hosting | EU (Frankfurt) |
| MongoDB, Inc. | Primary application database | EU (Frankfurt) |
| Redis Ltd. | Job queues, caching, and session management | EU (Frankfurt) |
| Cloudflare, Inc. | DDoS protection, WAF, domain management, and object storage | EU |
Payments
| Subprocessor | Purpose | Location |
|---|---|---|
| Stripe Payments Europe, Ltd. | Payment processing and invoicing | EU (Dublin) |
Monitoring
| Subprocessor | Purpose | Location |
|---|---|---|
| Functional Software, Inc. (Sentry) | Error tracking and performance monitoring | EU |
| Subprocessor | Purpose | Location |
|---|---|---|
| Proton AG | Email infrastructure | Switzerland |
Automation
| Subprocessor | Purpose | Location |
|---|---|---|
| Celonis Inc. | Workflow automation | EU |
7. Other Disclosures
Beyond subprocessors, we disclose personal data only in a few situations:
- Inside your organization: members of your organization can see your name, email address, and role, and administrators can see audit logs of actions taken in the organization.
- Professional advisers: lawyers, accountants, and auditors, where needed and under confidentiality obligations.
- Authorities: where we are legally required to, for example by a court order or under Danish accounting and tax law.
- To protect us or others: where we believe in good faith it is necessary to enforce our agreements, collect amounts owed to us, or protect the rights, property, or safety of Vexera, our customers, or others.
- Corporate transactions: if Vexera is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We would ensure the receiving party remains bound by obligations consistent with this policy and notify you where the law requires it.
8. International Transfers
Vexera's infrastructure is configured to store and process data in the EU. Our databases, job queues, object storage, hosting, and AI model inference all run in EU regions, as shown in the subprocessor tables above.
Our email infrastructure runs with Proton AG in Switzerland, a country the European Commission has recognized as providing adequate data protection under GDPR Article 45, so no additional safeguards are needed for that transfer.
Some of our vendors have parent companies outside the EU/EEA. Where personal data could be transferred to, or accessed from, a third country (for example vendor support access from the United States), we rely on the European Commission's Standard Contractual Clauses, carry out transfer impact assessments, and apply supplementary measures such as encryption. Contact privacy@vexera.ai for more information about the safeguards applied to a specific vendor.
9. Data Retention
We keep personal data only as long as the purpose it was collected for requires, or as long as the law obliges us to. After that, it is deleted or anonymized.
| Data | How long we keep it |
|---|---|
| Account and profile data | While your account is active; deleted when the account is terminated, unless a legal obligation requires longer |
| Source code and repository contents fetched for a scan | Deleted when the scan completes |
| Scan reports and findings | Available for the duration of your subscription; deleted on account termination |
| Security and audit logs | Up to 24 months, then deleted or anonymized |
| Accounting records | 5 years from the end of the financial year they relate to, as required by the Danish Bookkeeping Act |
| Support and sales correspondence | Up to 3 years after the dialogue ends, in line with the general Danish limitation period for claims (forældelsesloven) |
If a legal claim or an investigation requires it, we may keep specific data longer than the periods above, limited to what the matter actually requires.
10. How We Protect Your Data
Security is our product, and we apply the same standards to ourselves. Our measures include:
- Encryption in transit (TLS) and at rest for all stores that hold personal data.
- Role-based access control, least-privilege access, and two-factor authentication.
- Audit logging of administrative and security-relevant actions.
- Isolated, single-use sandboxes for scan execution, destroyed after each engagement.
- Scrubbing of personal data from error tracking before storage.
- Documented incident response procedures.
No system is perfectly secure, which is why we design for containment and detection as well as prevention. If a personal data breach occurs, we notify the Danish Data Protection Agency (Datatilsynet) without undue delay and, where feasible, within 72 hours, as required by GDPR Article 33. We notify affected individuals directly when the breach is likely to result in a high risk to them (Article 34).
11. Your Rights
When Vexera is the controller of your personal data, the GDPR gives you the following rights:
- Access (Article 15): get a copy of the personal data we hold about you.
- Rectification (Article 16): have inaccurate or incomplete data corrected.
- Erasure (Article 17): have your data deleted, subject to legal retention duties such as bookkeeping.
- Restriction (Article 18): have processing limited while a dispute or verification is pending.
- Portability (Article 20): receive data you provided to us in a structured, machine-readable format.
- Objection (Article 21): object to processing based on legitimate interest. For direct marketing the right to object is absolute; we stop immediately.
- Withdraw consent: where processing is based on consent, you can withdraw it at any time, without affecting the lawfulness of processing carried out before the withdrawal.
To exercise any of these rights, email privacy@vexera.ai. We may need to verify your identity before acting on a request. We respond without undue delay and at the latest within one month; for complex requests we may extend by up to two further months, and we will tell you if we do. Exercising your rights is free of charge, and you will not be treated differently for doing so.
If your data appears in scan data we process on behalf of a customer, please contact that customer, since they are the controller. We will assist them in answering your request.
12. Cookies
We only set cookies that are strictly necessary for the service to work: keeping you signed in, securing your session, and protecting forms against cross-site request forgery. We set no advertising, analytics, or cross-site tracking cookies.
Under the Danish Cookie Order (cookiebekendtgørelsen), strictly necessary cookies do not require consent, which is why you do not see a cookie banner on our site. If we ever introduce cookies that require consent, we will ask before setting them.
13. Third-Party Links
The website, the platform, and our reports may contain links to third-party websites, tools, and services that we do not control, for example vendor advisories or reference material about a vulnerability. Their own privacy policies apply, and we are not responsible for their practices or content.
14. Children
Vexera is a business service, is not directed at children, and does not knowingly collect personal data from anyone under 18; if we learn that we have, we delete it.
15. Complaints
If you are unhappy with how we handle your personal data, contact us at privacy@vexera.ai first; most issues can be resolved directly.
You also have the right to lodge a complaint with the Danish Data Protection Agency: Datatilsynet, Carl Jacobsens Vej 35, 2500 Valby, Denmark, phone +45 33 19 32 00, dt@datatilsynet.dk, www.datatilsynet.dk. If you live or work in another EU/EEA country, you can complain to the supervisory authority there instead.
16. Changes to This Policy
We update this policy when our processing, our vendors, or the law changes. Each version carries a version number and an effective date, shown at the top of this page.
For material changes, we notify account holders by email or in the platform before the change takes effect, and we ask you to review the updated policy the next time you sign in. Earlier versions are available on request.