Privacy Policy
Effective Date: 05 January 2026
1. About This Privacy Policy
This Privacy Policy explains how AttackForge Pty Ltd ("AttackForge", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you access or use our offensive security management and reporting platform, websites (including attackforge.com and support.attackforge.com), APIs, and related services (collectively, the "Services").
This policy is designed to comply with the European Union General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and other applicable data protection laws. Where we process personal data as a data processor on behalf of our customers, the relevant customer's privacy policy and data processing agreement will also apply.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, please do not use our Services.
2. Who We Are
AttackForge Pty Ltd is an Australian proprietary company headquartered at 121 King Street, Melbourne, Australia 3000. We are the provider of the AttackForge platform, an offensive security management and reporting solution used by security professionals, consultancies, and enterprise organisations worldwide.
Data Controller: For personal data collected directly through our websites, marketing activities, account registration, and support services, AttackForge Pty Ltd acts as the data controller.
Data Processor: For personal data processed within customer tenants on the AttackForge platform (such as vulnerability data, project data, and team member information entered by our customers), AttackForge acts as a data processor on behalf of the customer (who is the data controller).
Contact for Privacy Matters: [email protected]
Representative
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:
European Union (EU)
Prighter gives you an easy way to exercise your privacy-related rights. If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://app.prighter.com/portal/13640039914
3. Personal Data We Collect
We collect and process the following categories of personal data:
3.1 Account and Registration Data
Full name
Email address
Username and password (hashed and salted using bcrypt)
Multi-factor authentication (TOTP) configuration data
Single Sign-On (SSO) identity provider tokens and identifiers
3.2 Usage and Platform Data
IP addresses and access logs
Browser type, operating system, and device information
Pages visited, features used, and actions taken within the platform
Timestamps of login sessions and platform interactions
User role assignments and permissions (e.g. application roles, project roles, delegations)
3.3 Customer-Controlled Data (Processor Role)
When customers use the AttackForge platform, they may input personal data that we process on their behalf, including:
Names and contact details of project team members (security testers, developers, managers, clients)
Vulnerability reports, security assessment data, and related findings
Project workspace content including notes, files, and testing logs
Asset information (IP addresses, hostnames, application URLs)
Custom fields and forms configured by the customer
3.4 Communications and Support Data
Email correspondence with our support and sales teams
Support ticket content and metadata
Feedback, survey responses, and testimonials
3.5 Payment and Billing Data
Billing contact information
Subscription plan and payment history
Note: We do not directly store credit card numbers or full payment card details. Payment processing is handled by third-party payment processors who are PCI DSS compliant.
3.6 Cookies and Technical Data
Cookie identifiers and session tokens
Referral source and landing page information
4. How We Collect Your Personal Data
We collect personal data through the following means:
Directly from you: when you register for an account, request a free trial, contact us, subscribe to our services, or communicate with our team.
Through your use of our Services: automatically collected via cookies, server logs, and platform analytics when you interact with our websites and platform.
From your organisation: when your employer or client organisation creates an account for you or invites you to a project on the AttackForge platform.
Via Single Sign-On (SSO): when your organisation uses OAuth2 OpenID Connect (OIDC) integration, we receive identity attributes from your identity provider, including support for Just-in-Time user provisioning.
From third-party integrations: when you connect AttackForge with tools such as JIRA, ServiceNow, Azure DevOps, or use our Self-Service APIs, Flows, or MCP (Model Context Protocol) integrations.
5. Legal Bases for Processing
Under Article 6 of the GDPR, we rely on the following legal bases for processing your personal data:
Contract Performance
Providing and maintaining our platform, processing registrations, and delivering subscribed services
Art. 6(1)(b)
Legitimate Interest
Improving our Services, ensuring platform security, conducting analytics, and marketing to existing customers
Art. 6(1)(f)
Consent
Sending marketing communications, placing non-essential cookies, and processing data for optional features
Art. 6(1)(a)
Legal Obligation
Complying with applicable laws, regulations, legal processes, and enforceable governmental requests
Art. 6(1)(c)
Where we process personal data as a data processor, the legal basis is determined by our customer (the data controller).
6. How We Use Your Personal Data
We use your personal data for the following purposes:
Account management: creating, maintaining, and authenticating user accounts, including multi-factor authentication (MFA) enforcement.
Service delivery: providing access to the AttackForge platform, including project management, vulnerability tracking, reporting, collaboration features, and AI-assisted features via MCP integrations.
Platform operations: managing user roles and permissions through role-based access controls (RBAC), enforcing security policies, and administering tenant configurations.
Notifications: sending project updates, vulnerability alerts, SLA notifications, daily/weekly summaries, and rules-based email notifications as configured by users or administrators.
Reporting: generating on-demand penetration testing reports, executive dashboards, trend analysis, and portfolio tracking.
Integrations: facilitating data exchange with third-party tools (e.g. JIRA, ServiceNow, Azure DevOps) via Flows, Self-Service APIs, and Events APIs.
Support: responding to enquiries, resolving issues, and providing technical assistance.
Improvement: analysing usage patterns to enhance platform features, usability, and performance.
Security: detecting and preventing fraud, unauthorised access, and other malicious activities; conducting security assessments of our own infrastructure.
Compliance: meeting legal, regulatory, and contractual obligations, including SOC 2 audit requirements.
Marketing: sending information about new features, product updates, and relevant content (with your consent where required).
7. Data Sharing and Disclosure
We do not sell your personal data. We may share personal data with the following categories of recipients:
7.1 Infrastructure and Hosting Providers
For our Cloud deployment option, we use Microsoft Azure and MongoDB Cloud (MongoDB Atlas) for compute and storage services. Your data is hosted on dedicated single-tenant infrastructure in the Azure region of your choosing. These providers maintain comprehensive security certifications and compliance standards.
7.2 Payment Processors
We use third-party payment processors to handle subscription billing. These processors are PCI DSS compliant and only receive the data necessary to process your payments.
7.3 Customer-Directed Integrations
When you or your organisation configures integrations with third-party services (such as JIRA, ServiceNow, Azure DevOps, or AI assistants via MCP), data may be shared with those services as directed by you or your tenant administrator.
7.4 Legal and Regulatory Disclosure
We may disclose personal data when required by law, regulation, legal process, or governmental request, or to protect our rights, privacy, safety, or property.
7.5 Business Transfers
In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of the transaction. We will notify affected users of any change in ownership or control.
8. International Data Transfers
AttackForge is headquartered in Australia and serves customers globally. Personal data may be transferred to, stored, and processed in countries outside the European Economic Area (EEA) or the United Kingdom.
Where such transfers occur, we ensure appropriate safeguards are in place, including:
Standard Contractual Clauses (SCCs) approved by the European Commission.
Adequacy decisions by the European Commission recognising the receiving country's level of data protection.
Binding Corporate Rules or other approved transfer mechanisms where applicable.
For AttackForge Core and AttackForge Enterprise SaaS, customers can select the Azure region where their data is hosted, allowing data residency in the EEA or UK. For AttackForge Enterprise Server (On-Premises), all data resides on the customer's own infrastructure and no data is transferred to AttackForge.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law:
Account data: retained for the duration of your active account and for a reasonable period thereafter to allow for reactivation or to comply with legal obligations.
Platform data (Controller role): project data and vulnerability information in our cloud-hosted tenants is retained for the duration of the customer's subscription. Upon termination, data is deleted in accordance with the applicable service agreement.
Platform data (Processor role): retained and deleted in accordance with the customer's instructions.
Support and communications data: retained for up to 36 months after the last interaction for quality assurance and audit purposes.
Billing records: retained as required by applicable tax and accounting legislation.
Server logs and security data: retained for up to 36 months for security monitoring and incident investigation.
For the On-Premises deployment option, data retention is entirely controlled by the customer, as all data persists on the customer's own server in Docker/Podman volumes.
10. Data Security
AttackForge implements robust technical and organisational measures to protect personal data against unauthorised access, loss, misuse, or alteration. These measures include:
Encryption in transit: all traffic to and from our services is encrypted using TLS v1.2+ with strong cipher suites.
Authentication security: passwords are stored using bcrypt hashing with salting. Multi-factor authentication (TOTP) is mandatory and enforced by default on all accounts.
Access controls: role-based access controls (RBAC) at multiple levels ensures that users can only access data they are authorised to view.
Infrastructure security: dedicated single-tenant infrastructure with firewalled access points, IP whitelisting (Enterprise), and network access controls.
SOC 2 Type II certification: AttackForge is SOC 2 Type II certified, demonstrating our commitment to security, availability, and confidentiality controls.
Regular security assessments: our infrastructure and application are subject to regular third-party penetration testing.
Air-gapped option: the Enterprise Server (On-Premises) deployment runs on a single Linux server, operates in air-gapped environments, and requires no internet connectivity.
Strong password policies: we enforce robust password requirements across all accounts.
11. Your Rights Under the GDPR
If you are located in the EEA or the UK, you have the following rights regarding your personal data under the GDPR and UK GDPR:
Access
You may request confirmation of whether we process your personal data and obtain a copy of that data.
Rectification
You may request correction of inaccurate or incomplete personal data.
Erasure
You may request deletion of your personal data where there is no compelling reason for continued processing.
Restrict Processing
You may request that we limit the processing of your personal data in certain circumstances.
Data Portability
You may request a copy of your personal data in a structured, commonly used, and machine-readable format.
Object
You may object to processing based on legitimate interests or for direct marketing purposes.
Withdraw Consent
Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
Lodge a Complaint
You have the right to lodge a complaint with your local supervisory authority (data protection authority).
To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days (or as required by applicable law). We may request additional information to verify your identity before processing your request.
Important: Where AttackForge acts as a data processor, requests regarding personal data within a customer's tenant should be directed to the relevant customer (the data controller). We will assist the data controller in fulfilling such requests where possible.
12. Cookies and Tracking Technologies
Our websites use cookies and similar technologies for the following purposes:
Essential cookies: required for the operation of our websites and platform, including session management and authentication. These cookies are strictly necessary and do not require consent.
Analytics cookies: used to understand how visitors interact with our websites, enabling us to improve user experience and platform performance.
You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of our Services.
13. Third-Party Links and Integrations
Our Services may contain links to third-party websites and integrate with third-party tools and services (including JIRA, ServiceNow, Azure DevOps, AI model providers, and others). We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you interact with through our platform.
When using AI-assisted features via the Model Context Protocol (MCP), data may be transmitted to external AI model providers as configured by you or your tenant administrator. AttackForge supports local and open-source model configurations for organisations that wish to keep AI processing on-premises.
14. Children's Privacy
Our Services are designed for use by security professionals and business organisations. We do not knowingly collect personal data from individuals under the age of 16 (or such lower age as applicable under local law). If we become aware that we have collected personal data from a child, we will take steps to delete that information promptly. If you believe that a child has provided us with personal data, please contact us at [email protected].
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Effective Date" at the top of this policy and, where appropriate, providing notice through our platform or via email.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
AttackForge Pty Ltd
121 King Street
Melbourne, Australia 3000
Email: [email protected]
Website: https://attackforge.com
Support: https://support.attackforge.com
Last updated