Privacy Policy
Last updated: July 2026
This policy describes how Agent Breach collects and uses personal data when you use our website, create an account, or run security scans. It should be read alongside our Terms of Service and Cookie Policy.
We process identifiers (such as email), account metadata, security logs, and scan-related technical data needed to operate the platform. Optional analytics and advertising technologies load only when permitted through your cookie preferences.
Hosted Repository Scanning
When you enable hosted PR scanning, Agent Breach processes repository data required for security analysis, including source files, dependency manifests/lockfiles, workflow files, and pull request metadata.
Scan execution is limited to authorized repositories and pull request commit context (head/base) to provide targeted analysis of the requested change set.
Retention and Deletion
Hosted scan workspaces are designed to be temporary and are deleted after verification and reporting steps, including failure paths and periodic stale workspace cleanup.
Agent Breach applies the following service retention periods (from the scan or record date unless noted):
| Data type | Retention |
|---|---|
| Detailed scan findings and tool output | 90 days |
| PDF/HTML scan reports (export artifacts) | 365 days |
| Workspace activity audit logs | 90 days (Team/Business) or 365 days (Enterprise); hard delete at 365 days maximum |
| Hosted PR scan workspaces | Temporary — deleted after analysis |
| Application operational logs (CloudWatch) | 30 days |
Account deletion requests remove associated customer data where legally permitted. Some billing or security records may be retained longer when required by law.
International transfers and subprocessors
Agent Breach infrastructure primarily runs on Amazon Web Services in the EU (eu-north-1; email via SES in eu-west-1). We rely on contractual and technical safeguards consistent with our role as a processor for customer-directed scanning workloads and as a controller for account relationship data.
Subprocessors (Agent Breach platform)
| Subprocessor | Purpose | Typical data | Region |
|---|---|---|---|
| Amazon Web Services | Hosting, databases, storage, queues, email (SES), AI inference (Bedrock) | Customer account data, scan findings, reports, logs | EU (eu-north-1, eu-west-1) |
| Stripe | Subscription billing and payments | Name, email, billing details, payment tokens | Global (Stripe infrastructure) |
| Cloudflare | Turnstile CAPTCHA on public forms | IP address, browser signals | Global edge |
| GitHub | Optional CI/PR scanning integration | Repository metadata and code (customer-authorized repos) | Global (GitHub) |
| Optional social integration | OAuth tokens and profile identifiers | Global (LinkedIn/Microsoft) | |
| Shodan (optional) | Attack-surface enrichment for authorized targets | Hostnames and IP metadata | US (Shodan API) |
We maintain an internal subprocessor register reviewed quarterly. Enterprise customers may request additional detail during procurement. Voqua Tech S.L. (operator of Agent Breach) corporate site: voqua-tech.com.
Consent and Legal Basis
Hosted repository scanning requires explicit customer consent in the integrations flow and may require re-consent when processing terms materially change.
For support or data requests, contact the Agent Breach support channel listed on the Support page.
Account and communications
We use your email to authenticate you, send operational notices (such as scan completion or billing receipts), and—where allowed—product updates. You can control marketing communications through unsubscribe links where applicable.
If you subscribe to our optional security email updates on the Blog page, we store your email address only to send those digests and an unsubscribe link is included in every message. You may opt out at any time using that link.
Your choices
You may request access, correction, or deletion of certain personal data subject to legal retention requirements. Visit Support for the fastest routing of privacy-related requests.