Privacy Policy
How NullSquare handles customer and security data
This policy explains what we collect, why we collect it, how long we keep it, and how we protect data when you use NullSquare.
NullSquare is designed around limited data access: private-runner runs execute inside your own environment, hosted runs use isolated execution sandboxes, and customer scan content is not used for AI training without written permission.
Scope and role
This Privacy Policy covers the NullSquare website, platform, free assessment, private runner, GitHub integration, reports, and support channels.
NullSquare is the controller for website, account, billing, support, sales, and platform telemetry data. For customer assessment content, NullSquare processes data according to the customer instructions and applicable service agreement.
Data we collect
We collect only the data needed to operate, secure, support, and improve the service.
- Account and contact data: name, business email, company, role, authentication identifiers, workspace membership, and communication preferences.
- Billing data: plan, invoice, tax, and payment status data. Payment card details are handled by our payment processor and are not stored by NullSquare.
- Website and device data: pages visited, referral source, approximate location, browser, device, cookie identifiers, diagnostics, and security logs.
- Assessment inputs: domains, IPs, repositories, API endpoints, scope instructions, test credentials, and scan configuration.
- Assessment outputs: validated findings, proof-of-concept evidence, severity, remediation guidance, retest status, compliance evidence, and report metadata.
- Runner and integration data: private-runner status, GitHub pull request metadata, CI events, webhook logs, and integration configuration.
- Support and sales data: messages, meeting notes, demos, feedback, and information you choose to share with our team.
How we use data
We use data for the specific purposes needed to deliver a security testing platform.
- Run authorized assessments, validate findings, generate reports, and retest fixes.
- Verify authorization, enforce scope, prevent abuse, investigate incidents, and protect the platform.
- Operate accounts, authentication, billing, support, notifications, and customer communications.
- Improve reliability, performance, user experience, and product quality using telemetry and aggregated or de-identified data.
- Prepare compliance evidence requested by customers, including SOC 2, ISO 27001, HIPAA, and PCI-DSS oriented report material.
- Comply with law, enforce agreements, resolve disputes, collect fees, and respond to lawful requests.
Customer data, scan content, and AI models
You retain ownership of your targets, code, credentials, configurations, assessment inputs, findings, and reports. NullSquare uses that data only to provide, secure, support, and improve the service as described here or in a signed agreement.
- We do not sell customer data or personal data.
- We do not train general-purpose AI models on customer code, credentials, scan targets, findings, or reports without explicit written permission.
- For private-runner deployments, testing runs inside the customer environment. NullSquare receives only metadata, findings, reports, or operational data configured by the customer or required to operate the service.
- For hosted scans, execution sandboxes are isolated and destroyed after completion. Raw workspaces, credentials, and temporary execution data are not retained by default.
Sharing and subprocessors
We share data only with parties needed to operate NullSquare, comply with law, or complete a customer-requested workflow.
- Infrastructure, hosting, storage, logging, observability, and security providers.
- Payment, tax, invoicing, email, support, CRM, and customer communication providers.
- AI model or analysis providers used to perform hosted assessment workflows, subject to configuration and contractual controls.
- Professional advisers, auditors, insurers, law enforcement, regulators, or courts where legally required or necessary to protect rights and safety.
- A successor or buyer if NullSquare is involved in a merger, acquisition, financing, restructuring, or sale of assets.
Retention and deletion
We keep data only as long as needed for the purpose collected, the customer configuration, contractual requirements, security, legal obligations, or legitimate business needs.
- Account, billing, and support records are kept while your account is active and as needed for tax, audit, dispute, and legal requirements.
- Reports, vulnerability records, and compliance evidence remain available in your dashboard until deleted, exported, expired under your plan, or removed after account closure.
- Hosted execution sandboxes and temporary workspaces are destroyed after run completion unless an investigation, debugging request, or legal obligation requires preservation.
- Credentials provided for scans should be scoped, revocable, and temporary. NullSquare deletes or disables stored credentials when no longer needed to provide the service.
Security controls
Report suspected vulnerabilities or incidents to security@nullsquare.net.
- TLS for data in transit and encryption for stored data where supported by our infrastructure.
- Role-based access controls, least-privilege operations, audit logging, and restricted production access.
- Docker-based isolation for hosted execution and private-runner deployment options for internal environments.
- Security monitoring, vulnerability management, incident investigation, and vendor review processes.
Cookies and analytics
We use cookies and similar technologies for authentication, security, preferences, performance, analytics, and marketing attribution. You can manage browser cookie settings, but disabling essential cookies may prevent parts of the service from working.
Your rights and choices
Depending on your location, you may have rights to access, correct, delete, export, restrict, or object to processing of personal data. You may also opt out of marketing emails and withdraw consent where processing is based on consent.
To make a request, contact legal@nullsquare.net. We may need information to verify your identity and authority before fulfilling a request.
International transfers, children, and changes
NullSquare serves customers globally, including Canada, the United States, the United Kingdom, and Europe. Data may be processed in countries where NullSquare, customers, and subprocessors operate. Where required, we use appropriate contractual or legal safeguards for transfers.
NullSquare is not intended for children under 16, and we do not knowingly collect personal data from children under 16.
We may update this policy as the product and legal requirements change. Material changes will be posted on this page or communicated through the service.