By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts.

View our Privacy Policy for more information.

Privacy Policy

Bastion’s use and transfer of information received from Google APIs to any other app will comply with the Google API Services User Data Policy , including the Limited Use requirements.

The website www.bastion.tech (the “Website”) and the application app.bastion.tech (the “Application”) are operated by Bastion, a simplified joint-stock company with share capital of €12,000.00, headquartered at 65 rue de la Croix, 92000 Nanterre, registered with the Nanterre Trade and Companies Register under number 921 179 925.

This Privacy Policy explains how we collect and process personal data when you use our services (the “Services”). We may update this Policy from time to time to reflect legal requirements or changes in our practices. The version available on the Website and Application at the time of your use applies.

Definitions

  • Personal Data: any information relating to an identified or identifiable natural person (the “Data Subject”).
  • Processing: any operation performed on Personal Data, such as collection, recording, storage, adaptation, use, disclosure, restriction, or erasure.
  • Controller: the entity that determines the purposes and means of Processing.
  • Processor: the entity that processes Personal Data on behalf of the Controller.

Processing for which Bastion is the Controller

Article I — Data processed, purposes, legal basis, and retention

Purpose Categories of Data Legal Basis Retention Period
Managing contact requests Email address Bastion’s legitimate interest in responding to requests Up to 3 years from the last interaction
Newsletter management Email address, name Consent Until consent is withdrawn or up to 3 years from last interaction
Account access Email address, password, IP address, name Consent upon registration (acceptance of Terms of Use and this Policy) Inactive accounts may be deleted after 3 years
Billing, customer relations, support Email, phone, full name, postal address of company representative Performance of contract and legal obligations Up to 5 years after the end of the contractual relationship, unless longer retention is required by law
Cookies and trackers IP address, online identifiers Legitimate interest for strictly necessary cookies; consent for others According to the lifespan of each cookie

Article II — Data recipients

Personal Data may be accessed by Bastion personnel and by trusted service providers acting on our instructions, only where necessary for the purposes described above. We ensure that such parties are subject to appropriate confidentiality and security obligations.

Article III — Data Protection Officer (DPO)

You can contact our DPO at: dataprivacy@bastion.tech.

Article IV — Your rights

  1. Access, rectification, and erasure: you may request access to, correction of, or deletion of your Personal Data, subject to legal limitations.
  2. Data portability: where applicable, you may request to receive your Personal Data in a structured, commonly used, machine-readable format.
  3. Restriction and objection: you may request restriction of processing or object to processing where permitted under GDPR.
  4. Withdrawal of consent: when processing is based on your consent (e.g. newsletters, optional cookies), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  5. Exercising your rights: requests should be sent to dataprivacy@bastion.tech, including sufficient information to identify you. We will respond in accordance with applicable law.

You also have the right to lodge a complaint with your local supervisory authority, such as the Commission Nationale de l’Informatique et des Libertés (CNIL)www.cnil.fr.

Article V — Automated decision-making

Bastion does not engage in automated decision-making or profiling that produces legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.

Article VI — Children’s data

Our Services are not directed to children under the age of 16, and we do not knowingly collect their Personal Data.

Processing for which Bastion is the Processor

When providing vulnerability analysis and related services, Bastion acts as a Processor and processes Personal Data on behalf of and under the instructions of its client (the Controller).

Article I — Description of processing

Processing Data Subjects Data Categories Purpose
External vulnerability analysis Employees, collaborators, clients Email, password, IP address, name Identify and report vulnerabilities of the client’s technology assets
Automated analysis of persistent vulnerabilities Employees, collaborators, clients Email, password, IP address, name Provide reporting on recurring vulnerabilities for client account management

Article II — Duration

Processing is carried out for the duration of the Services and as otherwise required by law or agreed with the Client.

Article III — Bastion’s obligations as Processor

  1. Process Personal Data only on documented instructions from the Client, unless required otherwise by law.
  2. Maintain appropriate confidentiality and security of Personal Data.
  3. Ensure personnel authorized to process Personal Data are subject to confidentiality obligations and receive appropriate training.
  4. Implement appropriate technical and organizational measures, taking into account the state of the art, costs, and nature of processing.
  5. Assist the Client, where reasonably possible, in meeting GDPR obligations such as data subject rights, DPIAs, and breach notifications.

Article IV — Sub-processing

Bastion may engage trusted sub-processors (such as hosting, payment, or signature providers). Current sub-processors include: Amazon Web Services (hosting), Google Cloud Platform (hosting), Stripe (payments), and Yousign (electronic signatures). We ensure they are bound by obligations at least as protective as those in this Policy. Bastion remains responsible for their compliance in relation to the Services provided.

Article V — Data Subject information

The Client is responsible for informing Data Subjects of processing activities and for obtaining any necessary consents in accordance with applicable law.

Article VI — Exercising rights

Requests from Data Subjects should be addressed to the Client, who acts as Controller. Bastion will support the Client in responding, to the extent reasonably possible. Any request received directly by Bastion will be forwarded to the Client without undue delay.

Article VII — Data breaches

If Bastion becomes aware of a Personal Data breach, we will notify the Client without undue delay and provide available information to help the Client meet its legal obligations. The Client remains responsible for notifying authorities and/or Data Subjects where required.

Article VIII — Assistance

Bastion will provide reasonable assistance to the Client with Data Protection Impact Assessments (DPIAs) and any required prior consultations with supervisory authorities.

Article IX — Security measures

  • Confidentiality undertakings for employees and contractors.
  • Awareness and training on data protection and security practices.
  • Account and access controls, including strong authentication requirements.
  • Physical security for premises and equipment.
  • Secure workstation provisioning, configuration, and disposal.
  • Restricted use of and access to Personal Data, with no disclosure to unauthorized third parties.

Article X — End of processing

Upon termination of the Services, Bastion will delete or return Personal Data, unless retention is required by applicable law or otherwise agreed with the Client. Where deletion is not possible, we will ensure continued protection of the Personal Data.

Article XI — Data Protection Officer

Contact: dataprivacy@bastion.tech.

Article XII — Records of processing

Bastion maintains records of processing activities carried out on behalf of Clients, as required under GDPR.

Article XIII — Documentation and audits

Bastion will make available information reasonably necessary to demonstrate compliance and allow audits or inspections by the Client, subject to agreed conditions to protect security and confidentiality.

Article XIV — Client obligations

  • Provide documented instructions for processing Personal Data.
  • Ensure it has a valid legal basis for processing and sharing Personal Data with Bastion.
  • Supervise processing activities, including through audits where appropriate.