Global Privacy Framework
1. Who We Are
Infilux AppSec ("Infilux", "we", "our", "us") is a global cybersecurity services company headquartered at 301, Skywalk The Element, Gota, Ahmedabad, Gujarat 382481, India. We deliver Vulnerability Assessment & Penetration Testing (VAPT), Red Team adversary simulation, 24/7 Managed SOC, Governance–Risk–Compliance (GRC) automation, Dark Web Monitoring, and the GuardEon External Attack Surface Management (EASM) platform (https://guardeon.io) to enterprise clients worldwide.
2. Scope of This Policy
This Privacy Policy applies to (a) visitors to infilux.in and guardeon.io, (b) prospects who submit contact or sales-inquiry forms, (c) users of the GuardEon SaaS platform, and (d) authorised personnel of client organisations engaged in cybersecurity assessments or managed services. It does not cover personal data we process on behalf of our clients as a Data Processor — that processing is governed by the Data Processing Addendum (DPA) in each client's Master Services Agreement.
3. Data We Collect
Business Contact Data: name, work email, phone number, employer, job title, LinkedIn URL. Engagement Data: scope-of-test documents, network ranges, web-application URLs, test credentials (ephemeral), application architecture diagrams, cloud provider metadata. Security Telemetry: vulnerability scan outputs, attack-path reconstructions, exploit evidence, packet captures, SIEM logs. Platform Data: GuardEon account details, domain/IP seeds, passive DNS data, SSL certificate metadata, dark-web monitoring keyword lists. Website Usage: IP address, browser user-agent, pages visited, referrer URL, aggregated analytics via Google Analytics 4 and GTM (only after explicit consent via our banner).
4. Legal Bases for Processing (GDPR Art. 6 / DPDP § 6–8)
We process personal data under one or more of the following lawful bases: (a) Contract — performance of a signed MSA, SOW, or GuardEon subscription; (b) Legitimate Interests — responding to sales inquiries, protecting Infilux and client assets, product improvement; (c) Consent — marketing communications, non-essential cookies; (d) Legal Obligation — tax, AML, CERT-In reporting obligations under Indian law; (e) Vital Interests — rare cases such as notifying a breach that threatens life-safety critical infrastructure.
5. How We Use Data
We use personal data strictly to: (a) deliver contracted cybersecurity services including VAPT, red team, SOC monitoring, GRC audits, and GuardEon platform features; (b) communicate findings, remediation guidance, and engagement status; (c) manage our sales pipeline, billing, and contract lifecycle; (d) improve our detection engineering, threat intelligence, and methodology; (e) meet legal, regulatory, and audit obligations; (f) defend against and investigate suspected unauthorised activity targeting Infilux or our clients.
6. We Never Sell or Monetise Your Data
Infilux AppSec does not sell, rent, license, or otherwise monetise personal data to advertisers, data brokers, or third parties. "Sale" and "share" under CCPA/CPRA do not apply to our operations. Client vulnerability reports, assessment findings, exploit code, credentials, and any data collected during an engagement are treated as Confidential Information under the mutual NDA in every SOW and are never used to train AI models or in any cross-client benchmarking without explicit, written, per-engagement consent.
7. Security of Processing
Infilux AppSec operates an ISO/IEC 27001-aligned Information Security Management System. Client and engagement data is encrypted in transit (TLS 1.3) and at rest (AES-256). Access is granted under least-privilege, zero-trust principles — only the assigned project team can access your engagement workspace. MFA is mandatory on all internal systems. All laptops are full-disk encrypted with managed EDR. Separate, hardened environments are used for penetration-test data vs. business data. We perform internal VAPT on our own infrastructure annually and publish summary attestations on request.
8. Sub-processors
We engage carefully vetted infrastructure sub-processors under signed Data Processing Agreements (Art. 28 GDPR) that include EU Standard Contractual Clauses (SCCs) where applicable. Current sub-processors include: Amazon Web Services (cloud hosting, ap-south-1/us-east-1), Cloudflare (CDN, WAF, DNS), Microsoft 365 (business email, document collaboration), Google Workspace (email continuity, analytics), GitHub (code hosting), Vercel (web hosting for infilux.in), and Sentry (error monitoring with PII scrubbing enabled). Current list available on request to dpo@infilux.in. We provide 30 days' notice of material sub-processor changes under active DPAs.
9. International Data Transfers
Personal data may be transferred to and processed in India, where our primary operations are located, and to other jurisdictions via our sub-processors (primarily the European Union and United States). Where personal data originates in the EEA, UK, or Switzerland, transfers to India or other third countries rely on the European Commission's Standard Contractual Clauses (2021/914/EU) plus supplementary technical measures, or other mechanisms lawful under Articles 44–49 GDPR. For DPDP Act (India) purposes, cross-border transfers are made only to jurisdictions not restricted by the Central Government.
10. Data Retention
Sales & marketing leads: 24 months from last engagement or until opt-out. Engagement deliverables (VAPT reports, red team narratives): 7 years or as contractually required for audit/regulatory reasons. Raw assessment telemetry (screenshots, scan outputs, exploit evidence): securely purged 90 days after engagement closure unless the client requests extended retention. SOC log data: per client-specific retention tier (30 / 90 / 365 days). GuardEon platform data: retained for the duration of subscription + 30-day grace period, then cryptographically erased. Backup copies are purged within 35 days of primary deletion.
11. Your Rights
Subject to applicable law, you have the right to: (a) access the personal data we hold about you; (b) request correction of inaccurate data; (c) request erasure ("right to be forgotten"); (d) restrict or object to processing; (e) data portability in a structured, machine-readable format; (f) withdraw consent at any time without affecting prior lawful processing; (g) lodge a complaint with your supervisory authority (ICO in the UK, CNIL in France, the Data Protection Board of India under the DPDP Act, California Attorney General under CCPA, etc.). To exercise any right, email dpo@infilux.in — we respond within 30 days.
12. Cookies & Analytics
We use first-party essential cookies required for site functionality (security, session, consent preference). Non-essential analytics — Google Analytics 4 (measurement_id G-QY9PZSJ2SC), Google Tag Manager (GTM-5KQMTHFQ), and Microsoft Clarity (project wrpokkwvsc, used for anonymised session replay + heatmaps) — fire only after you accept via our consent banner. We implement Google Consent Mode v2 and Clarity's consent API with all advertising/analytics signals defaulted to denied until you opt in. Clarity recordings mask form inputs, password fields, and any element tagged with data-clarity-mask by default. You can change or revoke consent at any time by clearing your browser's site data for infilux.in or contacting us.
13. Breach Notification
If a personal data breach is likely to result in a high risk to the rights and freedoms of affected individuals, Infilux AppSec will notify our clients and, where required, supervisory authorities without undue delay and no later than 72 hours after becoming aware of the breach, as required by GDPR Art. 33–34 and DPDP § 8(6). Under our MSA, Infilux commits to notifying clients within 24 hours of confirmed detection of any incident involving client Confidential Information or personal data we process on their behalf.
14. Responsible Disclosure
Infilux AppSec operates a Responsible Disclosure / Coordinated Vulnerability Disclosure programme. If you believe you have identified a security vulnerability in infilux.in, guardeon.io, or any Infilux service, please report it to security@infilux.in using our PGP key (available at https://infilux.in/.well-known/security.txt). We commit to acknowledging receipt within 48 hours, providing a remediation timeline, and publicly crediting researchers who follow responsible disclosure. We will not pursue legal action against researchers acting in good faith and within the scope documented in our security.txt.
15. Data Controller vs. Processor Role
When you are a prospect or user of our website: Infilux AppSec acts as an independent Data Controller. When we deliver cybersecurity services to a client (VAPT, Red Team, SOC, GRC, GuardEon): Infilux AppSec acts as a Data Processor (or Joint Controller where specified), processing personal data solely on documented instructions from the Client-Controller under the DPA signed as part of each MSA. Enterprise clients can request our standard DPA template, including EU SCCs, UK IDTA addendum, and DPDP schedule, from dpo@infilux.in.
16. Children's Privacy
Our services, website, and the GuardEon platform are designed exclusively for enterprise and business-professional use. We do not knowingly collect personal data from individuals under 18 years of age (or 16 years in the EU under Art. 8 GDPR). If we become aware that we have inadvertently collected data from a child, we will delete it promptly.
17. Changes to This Policy
We may update this Privacy Policy periodically to reflect evolving regulation, new services (including GuardEon feature expansions), or changes to our sub-processors. Material changes will be announced via email to account administrators at least 30 days before taking effect. The date at the bottom of this page reflects the most recent revision; prior versions are archived and available on request.
18. Contact Us — Data Protection Officer
Infilux AppSec's designated contact for all privacy, data-protection, and DPA-related matters is our Data Protection Officer, reachable at dpo@infilux.in. General sales and support: sales@infilux.in · +91-9106266245 · 301, Skywalk The Element, Gota, Ahmedabad, Gujarat 382481, India. EEA/UK representative (where required by Art. 27 GDPR) can be appointed upon enterprise engagement.
// Data Protection Officer
Questions, data-subject requests, or DPA negotiation: dpo@infilux.in
Last Updated: April 15, 2026
Terms & Conditions →